View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Windows Live ID used as bait to steal personal info

Users have been asked not to click on any unknown links.

By CBR Staff Writer

Hackers have reportedly come up with a new scam that sees Windows Live ID being used as a trap to get personal information from services like Hotmail, Outlook, MSN, Messenger, Xbox LIVE, and Zune.

Hackers are sending warnings to user saying that unsolicited emails are being distributed through their Windows Live ID accounts, which could lead to blockage of their accounts.

Users are then advised to click on a link to prevent their Windows Live ID from being blocked.

The link redirects users to a fake Windows Live page where they are asked to update their details to fulfill the service’s new security requirements.

However, security experts from Kaspersky Lab found out that the link from the scam email redirected to the original Windows Live website.

Users received a curious prompt from Windows Live service after they authorised their account on the original site.

The prompt asks permission to automatically log into the account, and view profile information, personal and work email addresses and contact list of users.

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

Hackers reportedly manipulated a security flaw in open protocol for authorisation, OAuth to get access to this technique.

Hackers might not get access to user’s login and password credentials but they can access to contacts nicknames and real names of users along with lists of appointments and important events.

Kaspersky has asked users to avoid clicking on any suspicious links received through email or in private messages.

The security company has also asked users to avoid giving access to personal data to unknown application, and to keep the antivirus software up to date.

Kaspersky Lab senior web content analyst Andrey Kostin said: "We’ve known about security flaws in the OAuth protocol for quite a while: in early 2014, a student from Singapore described possible ways of stealing user data after authentication.

"A scammer can use the information intercepted to create a detailed image of users, including information on what they do, who they meet and who their friends are, etc. This profile can then be used for criminal purposes."

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy