This week: a lil teaser about Blockchain and how your Skype account got hacked

Skype spam messagesBlockchain is growing in importance with every day passing by. This is the reason why I plan dedicated posts, not mixed with the rest of my areas of interest. The series of posts that I prepare will follow a simple pattern:

 

  • The history of Blockchain and brief description of the technology
  • Application of Blockchain with financial services in focus
  • Overview of Blockchain projects, startups and ideas

Once I finally get the time to condense all the info I have collected into the planned brief blog posts, you will hear from me. But I do believe this will happen in the next 2 weeks.

Now about Skype. Few weeks ago I woke up late on a Sunday morning to find out that my Skype account has been sending spam messages to my contact list. That kinda hurt my feelings as I tend to have decent security in place and until then used to LOL on all skype accounts that sent me these messages.

It took me about 2 days to ping all my friends, colleagues, business contacts not to click these links (the screenshot above is real, unfortunately). Not surprisingly also changed my password, but I promised to myself to do some research.

There are several ways how the hackers could have guessed my password – brute force attack, getting the answer to my secret question, Microsoft leaking my password (Skype was acquired by MS). My password was a strong one (as usual), same with my secret question. The resulting research showed that other users had password of 15 chars and above, plus special chars, and still got hacked. And after changing their password, some of them got hacked again.

The anatomy of the hacking activity was well described in 2015. The hacker would search for an account with weak password, then break the password and start sending messages to all contacts of this account. The messages contain a seemingly legitimate link e.g. link from Baidu and when the link is clicked the URL will lead to the hackers site, record the username of the user that clicked and then forward to another site e.g. diet site. Thus the attacker knows that a skype ID is valid and in use (so it makes sense to break in and spam further). More than 1 year later Microsoft has still not taken sufficient action to prevent this from happening and this is all that Skype offers on the topic.

In case you have a Microsoft account things do not stop here. Apparently, after the acquisition, all Skype logins were merged into Microsoft’s own login system. This allows for the hackers to log in into an MS account with weak (or hacked) skype credentials, even bypassing enabled 2 factor authentication although it was configured for the initial MS account. Big thanks to Jukka-Pekka for summing it all up. And go check your MS account, you might have a ticking bomb there.

Bottom line, the hack seems to pass even one year after it was reported. A hacked account could send thousands of identical spam messages without the message being automatically blocked or flagged. All this is happening at the end of year 2016!

It is still unclear, how long and seemingly secure passwords have been repeatedly compromised. Looking forward to somebody finding the missing link e.g. if our Skype passwords were leaked.

2 thoughts on “This week: a lil teaser about Blockchain and how your Skype account got hacked

  1. Hristo,

    In my humble opinion, your analysis on what happened with skype is not completely correct. You forgot to say what actually happens. The Skype problem doesn’t compromise your password, it’s instead a skype vulnerability that allows some code to be executed on your skype client on the receiving of a message from somebody else.

    It looks like that if you receive a link through chat, skype tries to open it in a “safe” way to get some information regarding that link. It seems that somebody was able to put some code to be executed by skype client (basically it’s how viruses works) during that “link pre-analysis” made by skype itself.

    So:

    – nobody knows your password
    – MS account is safe
    – this “hack” is actually a skype vulnerability.

    Hope that helps.

  2. Hi Andrea, seems like this is a common issue but all reports I found tend to link it to a general account issue rather than a skype vulnerability. It would be far from normal if it was not fixed for more than a year, no?

    By the way did you have the same issue?

Comments are closed.