Share

New internet scam targets Windows Live

Cape Town - Criminals are engaged in a new scam where they exploit your Windows Live ID to steal personal information.

According to security firm Kaspersky Lab, cyber criminals use spam to send out warnings that your Windows Live ID account has been hacked. These accounts are widely used to access services like Outlook, Xbox Live and One Drive, among others.

But this new scam has an interesting twist. Instead of the email link going to a phishing site as is normally expected, users are directed to the authentic Windows Live website.

"Having followed the link in the email and successfully authorised the account on the official live.com site, users received a curious prompt from the service: An application requested permission to automatically log into the account, view the profile information and contact list and access a list of the users' personal and work e-mail addresses. Scammers gained access to this technique through security flaws in the open protocol for authorisation, OAuth," Kaspersky said.

Using the provided personal information, criminals gain access to user friend lists and are able to launch targeted attacks, also known as spear phishing.

Fraud risk

While the flaw in OAuth isn't new, it was likely the first time that it was exploited in this fashion, said Kaspersky, which is headquartered in Russia.

"We've known about security flaws in the OAuth protocol for quite a while: In early 2014, a student from Singapore described possible ways of stealing user data after authentication. However, this is the first time we have come across fraudsters using a phishing email to put these techniques into practice," said Andrey Kostin, senior Web Content analyst at Kaspersky Lab.

Once a Windows Live user has handed over their details, it is a simple matter for hackers to gain a relatively accurate picture of people. This information will not only be used to fool friends and family, but also to commit financial fraud.

"A scammer can use the information intercepted to create a detailed image of users, including information on what they do, who they meet and who their friends are. This profile can then be used for criminal purposes," said Kostin.

If this scam takes off, it could potentially hurt millions of internet users.

According to Microsoft there are at least 400 million active Outlook.com accounts alone.

Windows Live users should not click on links provided via email or give dodgy applications rights to your user information, and understand and review policies on internet-connected services, said Kaspersky.


- Follow Duncan on Twitter

We live in a world where facts and fiction get blurred
Who we choose to trust can have a profound impact on our lives. Join thousands of devoted South Africans who look to News24 to bring them news they can trust every day. As we celebrate 25 years, become a News24 subscriber as we strive to keep you informed, inspired and empowered.
Join News24 today
heading
description
username
Show Comments ()
Rand - Dollar
19.00
-0.3%
Rand - Pound
24.15
-0.1%
Rand - Euro
20.64
-0.3%
Rand - Aus dollar
12.38
+0.4%
Rand - Yen
0.13
+0.4%
Platinum
905.16
-2.0%
Palladium
1,006.63
+0.1%
Gold
2,154.73
-0.3%
Silver
24.92
-0.5%
Brent Crude
86.89
+1.8%
Top 40
65,996
-0.4%
All Share
72,197
-0.3%
Resource 10
53,320
0.0%
Industrial 25
99,852
-0.6%
Financial 15
16,590
-0.2%
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

LEARN MORE
Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders