Feeds

Skype ignores PayPal siphoning hijack scheme

The phone company without a phone

SANS - Survey on application security programs

One day last month, when Klaus Zimmerman tried to log into his Skype account, he got an error message indicating his username and password didn't match. Concerned something was awry, Zimmerman, a computer repairman living in Wexford County, Ireland, phoned his brother and asked him to check his online status.

"I saw you on earlier, but your picture was gone," the brother reported. "You're now listed as living in Germany." On top of that, the person logged in was no longer answering the brother's queries.

Forum threads here, here and here and Google searches here and here suggest Zimmerman's experience is by no means unusual. The Register has contacted many victims, and a common pattern has emerged. Around the same time the victims are locked out of their accounts, they receive emails indicating their PayPal accounts are being charged for funds that are credited to the purloined Skype accounts. Frantic emails reporting the problem remain unanswered for weeks or months by Skype and PayPal representatives.

"Basically, you get a generic email saying 'Sorry you're having problems with Skype, we'll try to solve the problem,'" says Dave Ballard, a Newfoundland, Canada-based graphics artist, whose account has been inaccessible for five weeks. The eBay powerseller adds: "This is just not right because it's costing me thousands of dollars."

The account contained more than 200 contacts of people Ballard has done business with. Because Ballard didn't back up the contacts, they will be permanently lost if he remains unable to access the account. (An earlier version of this story incorrectly said Skype doesn't provide a means to back up contacts. In fact it does, by going to Tools > Advanced > Back up contacts to file.)

Ballard says he sent Skype's support team 34 emails, one each day since the account was hijacked, but never received a live response. Late last week, a Skype rep contacted him to acknowledge the problem and offered him a refund. He remains locked out of the account he's used for three years.

The rash of Skype hijackings come on top of a separate issue in which PayPal users are debited for Skype services they never ordered. Since reporting the problem in June, Vulture Central has been inundated with email from readers who say they too continue to experience mysterious Skype charges.

The Register has repeatedly contacted representatives from eBay, PayPal and Skype, but at time of writing, none of them were able to discuss whether company officials are aware the of the glitch or what they're doing to fix it. Shortly after this article was published, a Skype spokeswoman email a statement that read:

"We are continually working to educate our users on how to protect their online accounts and take precautions to prevent as many of these fraudulent transactions as possible. Unfortunately for some users we cannot get back to them as quickly as they'd like but we are doing our best to make our Customer Support as effective and efficient as possible."

We're still trying to understand how the attackers are commandeering the accounts. There are no reports of phishing emails or other attempts at social engineering. And the Skype client encrypts usernames and passwords during the login process, making a man-in-the-middle attack unlikely. If your account has been hijacked, please post the particulars as a comment to this story, or contact the reporter using this link.

In the meantime, Skype users should consider reconfiguring their account so it's no longer possible to automatically debit money from PayPal accounts or credit cards.

Several of the victims work in the information technology industry and say they take pains to use strong passwords and log in to their accounts only from secure machines located at home.

"I'm fairly IT savvy," says James M. Fahey, a Boston resident who recently found $40 worth of Skype charges debited to his PayPal account. The strange thing, he says, is that the credits were added to someone else's Skype account, not his. When he sent emails protesting the charges, a representative insisted the account that was credited was the one Fahey had been using for years.

Fahey was unable to persuade the representative, even after he sent screenshots proving the account under his control hadn't been credited, so he decided to delink his credit card from the account and drop the matter.

"It just blows me away that Skype doesn't respond or make corrections to what's going on," he says. "It's a phone company, but they don't have any phone number to respond."

Indeed, the only victim we've talked to who has reported a satisfactory outcome is Zimmerman. Several days after we first spoke to him, he reported receiving an email from a Skype representative informing him his account had been been reset. Within two minutes, he had regained control of the account, but was saddened to find all his contacts missing.

While he's glad to be reunited with an account he's used for years, he says the experience has him looking over his shoulder.

"My identity was used for God knows what," he says. "Maybe at some point, I'll get some nasty email saying, 'Weren't you the one who did such and such?'" ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.