May 28, 2015
Kaspersky Lab experts are warning of a new scam that uses Windows Live ID as bait to catch personal information stored in user profiles on services like Xbox LIVE, Zune, Hotmail, Outlook, MSN, Messenger and OneDrive.
What appears to be a typical phishing email contains a link that goes to the actual Windows Live website, with no apparent attempt to get the victims’ logins and passwords. So what’s the trick?
- After following the link and authorizing the account, users receive a prompt: an application requests permission to automatically log into the account, view the profile information and contact list, and access a list of the users’ email addresses.
- Users who click “Yes” don’t give away their login and password credentials, but they do provide their personal information, the email addresses of their contacts and the nicknames and real names of their friends.
Scammers gained access to this technique through security flaws in the open protocol for authorization, OAuth. The collected information can be used for fraudulent purposes, such as sending spam to the contacts in the victim’s address book or launching spear phishing attacks.