Feeds

Skype ignores PayPal siphoning hijack scheme

The phone company without a phone

5 things you didn’t know about cloud backup

One day last month, when Klaus Zimmerman tried to log into his Skype account, he got an error message indicating his username and password didn't match. Concerned something was awry, Zimmerman, a computer repairman living in Wexford County, Ireland, phoned his brother and asked him to check his online status.

"I saw you on earlier, but your picture was gone," the brother reported. "You're now listed as living in Germany." On top of that, the person logged in was no longer answering the brother's queries.

Forum threads here, here and here and Google searches here and here suggest Zimmerman's experience is by no means unusual. The Register has contacted many victims, and a common pattern has emerged. Around the same time the victims are locked out of their accounts, they receive emails indicating their PayPal accounts are being charged for funds that are credited to the purloined Skype accounts. Frantic emails reporting the problem remain unanswered for weeks or months by Skype and PayPal representatives.

"Basically, you get a generic email saying 'Sorry you're having problems with Skype, we'll try to solve the problem,'" says Dave Ballard, a Newfoundland, Canada-based graphics artist, whose account has been inaccessible for five weeks. The eBay powerseller adds: "This is just not right because it's costing me thousands of dollars."

The account contained more than 200 contacts of people Ballard has done business with. Because Ballard didn't back up the contacts, they will be permanently lost if he remains unable to access the account. (An earlier version of this story incorrectly said Skype doesn't provide a means to back up contacts. In fact it does, by going to Tools > Advanced > Back up contacts to file.)

Ballard says he sent Skype's support team 34 emails, one each day since the account was hijacked, but never received a live response. Late last week, a Skype rep contacted him to acknowledge the problem and offered him a refund. He remains locked out of the account he's used for three years.

The rash of Skype hijackings come on top of a separate issue in which PayPal users are debited for Skype services they never ordered. Since reporting the problem in June, Vulture Central has been inundated with email from readers who say they too continue to experience mysterious Skype charges.

The Register has repeatedly contacted representatives from eBay, PayPal and Skype, but at time of writing, none of them were able to discuss whether company officials are aware the of the glitch or what they're doing to fix it. Shortly after this article was published, a Skype spokeswoman email a statement that read:

"We are continually working to educate our users on how to protect their online accounts and take precautions to prevent as many of these fraudulent transactions as possible. Unfortunately for some users we cannot get back to them as quickly as they'd like but we are doing our best to make our Customer Support as effective and efficient as possible."

We're still trying to understand how the attackers are commandeering the accounts. There are no reports of phishing emails or other attempts at social engineering. And the Skype client encrypts usernames and passwords during the login process, making a man-in-the-middle attack unlikely. If your account has been hijacked, please post the particulars as a comment to this story, or contact the reporter using this link.

In the meantime, Skype users should consider reconfiguring their account so it's no longer possible to automatically debit money from PayPal accounts or credit cards.

Several of the victims work in the information technology industry and say they take pains to use strong passwords and log in to their accounts only from secure machines located at home.

"I'm fairly IT savvy," says James M. Fahey, a Boston resident who recently found $40 worth of Skype charges debited to his PayPal account. The strange thing, he says, is that the credits were added to someone else's Skype account, not his. When he sent emails protesting the charges, a representative insisted the account that was credited was the one Fahey had been using for years.

Fahey was unable to persuade the representative, even after he sent screenshots proving the account under his control hadn't been credited, so he decided to delink his credit card from the account and drop the matter.

"It just blows me away that Skype doesn't respond or make corrections to what's going on," he says. "It's a phone company, but they don't have any phone number to respond."

Indeed, the only victim we've talked to who has reported a satisfactory outcome is Zimmerman. Several days after we first spoke to him, he reported receiving an email from a Skype representative informing him his account had been been reset. Within two minutes, he had regained control of the account, but was saddened to find all his contacts missing.

While he's glad to be reunited with an account he's used for years, he says the experience has him looking over his shoulder.

"My identity was used for God knows what," he says. "Maybe at some point, I'll get some nasty email saying, 'Weren't you the one who did such and such?'" ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.