Microsoft has released a statement adressing the claims of hacked Xbox Live accounts. It states that no hack has taken place, but that some users have fallen victim to phishing scams.
The story was initially broken by tabloid rag The Sun, which claimed accounts of Xbox Live users had been hacked into with their credit card details then used to make small transactions, siphoning off hundreds of pounds over an extended period. While Microsoft does not deny that some users have been the victim of thievery, it also makes it clear that Xbox Live is still a secure gaming platform and that no one has been hacked.
WinRumours has the statement in full, which begins: "Xbox Live has not been hacked. Microsoft can confirm that there has been no breach to the security of our Xbox Live service. In this case, a number of Xbox Live members appear to have recently been victim of malicious ‘phishing’ scams."
The company then went on to detail that it was "working closely with affected members who have been in touch with us to investigate and/or resolve any unauthorized changes to their accounts resulting from phishing scams."
No phishing story would be complete without Microsoft giving some basic advice to its users, suggesting that they shouldn't open "unsolicited e-mails which may contain spyware and other malware that can access personal information contained on their computer without their knowledge or permission."
David Waterson, chief executive of data security firm Sentrybay, has weighed in on the discussion, saying that those perpetuating the phishing scams often used social engineering to impersonate Microsoft employees, or offered incentives like gamer points to unsuspecting players. "Subsequently, further social engineering techniques are used to extend the amount of information gained (including getting credit card information) via communications from what appears to be a trusted source" he said.
When it comes to how he'd combat such a threat, Waterson said that protection for users needed to be more focused. “Conventional anti-phishing approaches are not geared to protect against this attack (especially when the web pages can easily disappear and resurface.) What you need is an approach that specifically protects targeted attacks on brands.”