Social Engineering Blamed for Xbox Live Hacks

Ill-willed players on the Microsoft (Nasdaq: MSFT) Xbox Live system managed to gain access to other players' accounts by using pretexting and other forms of social engineering to trick customer service staffers into revealing private information.

By making numerous calls to the Xbox Live customer support center, the miscreants were able to have new passwords assigned to accounts that weren't their own. They could then either act inappropriately to have the account disabled or use the victim's acquired Xbox points to possibly download games, movies and other content.

While this might not be considered by some to be "hacking" in the most common definition, one of the victims of the actions, Kevin Finisterre -- a security researcher with Digitalmunition and a skilled hacker himself -- said the results are the same: unauthorized access that harms the innocent.

Hacking the Humans

"I would call social engineering a form of hacking," Finisterre told TechNewsWorld. "If I'm able to call into your staff and get them to divulge information ... that's hacking to me. It's a category within hacking."

Finisterre is one of a number of Xbox Live users who contend they were victimized by other players who somehow managed to get access to account hijacking and theft. Microsoft, through spokesperson Patrick Wallace, released a statement downplaying the situation.

"Despite some recent reports and speculation, we want to reassure all of our 6 million Xbox Live members that we have looked into the situation and found no evidence of any compromise of Bungie.net or our LIVE network," said the statement provided to TechNewsWorld by Wallace. "There have been a few isolated incidents where malicious users have been attempting to draw personal information from unsuspecting users and use it to gain access to their LIVE account."

Practice What It Preaches

While the statement mentioned "unsuspecting users," Finisterre and others believe Microsoft's unsuspecting customer service staffers are also being targeted and, it seems, getting fooled.

"It's hard to tell exactly what's going on," Steven Davis, CEO of SecurePlay and author of the game security blog Playnoevil.com, told TechNewsWorld.

"The most likely thing happening is it's social engineering against the customer service staff at Microsoft. People try to be helpful when someone calls and says they lost their password. They want to help. It probably has nothing to do with Xbox Live, but it's taking advantage of people's good nature."

While Davis said Microsoft "does a lot better on security in games than anybody else," he added that persistence often pays for the bad guys, especially if a customer service staff is new and inexperienced.

"Xbox Live has been growing like mad," said Davis. "They now have 6 million members, which means their staff has been growing and they've got a lot of customer service people. People can make mistakes. ... It just happens."

Persistence Pays

A common social engineering technique is to call the customer service center repeatedly, said Finisterre. Each call is another opportunity to trick the help desk into accidentally divulging another piece of supposedly private information. "It's repeatedly calling in and using the little information you've got to further escalate," he continued. "You document everything you can find" so that with each successive call you become more convincing.

Proof that this is the ploy being used against Xbox Live was found on the Web site of one group that takes pride in hijacking the accounts of other players with whom its members have disputes, Finisterre calimed.

Under the headline "How to Steal Xbox Live Accounts," the group said "Now you may be wondering how we get your information. It's easy. You call 18004myxbox, pretend to be that person, make up a little story about how your little brother put in the information on the account and it was all fake ... you might get one little bit of information per call but then you keep calling and keep calling ..."