Xbox Live users victims of massive phishing scam

By Lee Kaelin on November 23, 2011, 9:30 AM

Gamers using Microsoft's Xbox Live service have become the latest target of online phishing attacks as news spreads like wildfire about fraudulent transactions appearing on the credit card statements of its users.

Microsoft was very quick to jump the gate declaring their gaming platform had not been hacked, in a statement on Facebook. "Xbox Live has not been hacked. Microsoft can confirm that there has been no breach to the security of our Xbox Live service."

It appears that the ever-increasing number of affected users, now spanning 35 countries have been the victim of sophisticated online phishing attacks. Those using the service have been discovering payments, sometimes spanning months, in their credit card statements.

Those responsible for the theft have apparently been taking small amounts of money from users' accounts for several weeks, making the attack hard to detect. The fraud involved sending emails to Xbox Live users, directing them to sophisticated but fake websites offering free Microsoft point incentives. Having registered on the fake websites, the scammers then had all the personal information they needed to proceed.

In nearly all the cases, the purchases are for Microsoft Points, the currency the software giant uses to allow customers to download additional content, games and in-game objects. These appear to have been used to buy downloadable content from EA Sports, specifically Ultimate Team Packs for its FIFA 12, Madden and NBA titles, which can be traded between players for real money without EA or Microsoft recording the transaction.

According to the Sun newspaper, a Microsoft representative has said they'll offer refunds to anyone that can prove they have not handed over their password. That is a nice gesture, but how exactly does a person prove they are not guilty of providing a password when their account is already compromised is uncertain.

This incident follows on from the recent breach of Valve's Steam user forum that resulted in user information being stolen, and the devastating attacks on Sony's PSN network in April that forced the Xbox competitor's gaming service be turned offline for several weeks.




User Comments: 9

Got something to say? Post a comment
amstech amstech, TechSpot Enthusiast, said:

It's straight-up articles like this that keep me coming back to this site.

Excellent work Lee and well put, thanks for posting.

H3llion H3llion, TechSpot Paladin, said:

How can someone fall for a scam, sure some look very LEGIT but afterall, they aren't ...

Burty117 Burty117, TechSpot Chancellor, said:

I've always thought to myself "how can someone fall for this?" but last night I had a bit of a falling out with a house mate, I transfered a secondary BT line that was in my name to his and I got to see him type out his passwords for his BT account and his Bank account, it is "qwerty". He also uses this on his xbox and he also plays MW3 like it is actually something new. Some how, After seeing this display of complete disregard for security and lack of Intelligence, I'm really not suprised. Although it does fascinate me that someone who is prepared to spend £40 a month on an internet connection, £800 on a sony vaio laptop and god knows how much on his xbox and has no idea how any of it works and what security to put in place? Hell he doesn't even have an anti-virus! Glad he's off my network...

Leeky Leeky said:

It's straight-up articles like this that keep me coming back to this site.

Excellent work Lee and well put, thanks for posting.

Thank you Amstech, your comments are appreciated.

Guest said:

What the hell?!! Only 3 post? Come on...get some scoop on SONY already. We need to get the board buzzing with hate.

Relic Relic, TechSpot Chancellor, said:

artix said:

How can someone fall for a scam, sure some look very LEGIT but afterall, they aren't ...

Not everyone is as paranoid as most of us here, I'm sure we all double check everything that seems even a little off. Sadly many others think these sophisticated phishing sites are legit and don't even bat an eye at them.

ramonsterns said:

Relic said:

artix said:

How can someone fall for a scam, sure some look very LEGIT but afterall, they aren't ...

Not everyone is as paranoid as most of us here, I'm sure we all double check everything that seems even a little off. Sadly many others think these sophisticated phishing sites are legit and don't even bat an eye at them.

I think it's 50/50. We're too paranoid, they're too naive.

Guest said:

just dont give any personal information and youll be fine... cant believe ppl fall for these kind of scams... -.-

Guest said:

This exact problem has happened to me. The first time MS didn't believe me, said I or someone in my household must have bought the points. Froze the acct during the investigation, found no evidence in the end. 2nd time, I called them immediately after noticing 2 transactions in one day, then logged into Live to see FIFA activity. A 2nd email address was added to the primary in the Live acct managment, followed by some Chinese characters... that seemed to convince them of the hack this time.

Both times this happened, I had sent recently a message thru an Xbox Live friend via my Windows Phone. Coincidence?

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.