Microsoft: Oh, go on, Xbox Live user. Show us your spammer
'We look at them, we boot them' – gaming platform boss
The hugely annoying nuisance that has plagued email for decades has found its way into gaming, most recently spreading to affect their mobile and instant messaging experiences.
Spammers are affecting online gaming, with Xbox users in particular reporting an increase in spam reaching them from multiple gamertags.
In response Microsoft is planning to make spam abuse easier to report via changes in the user interface due to arrive in March.
“Those asking about Xbox Live messages spam - we're working on it. But for now friends/my profile/privacy/custom and check friends only,” Xbox's partner director of program management Mike Ybarra said in a Twitter update.
“BTW, please report ALL spammers on Xbox Live messages. We look at them, we boot them!!”
Chris Boyd, a malware intelligence analyst at Malwarebytes and committed gamer, pointed out that console ownership is not tied to Xbox accounts, something that makes it easier for spammers to create disposable accounts for later messaging abuse.
“A big problem for Microsoft is that spammers can spam whether they own a console or not - if you have an free account, which is easy enough to set up, you can simply sign into the Xbox website and fire spam messages from there instead,” Boyd told El Reg
Fortunately some security controls are already in place to help shield legitimate gamers.
“Security options for console owners are fairly comprehensive, and also include choices specific to both the 360 and Xbox One platforms. Anybody worried about the spam should set their ‘Communicate with Voice & Text’ option to ‘friends’ or block entirely until Microsoft apply an update in March designed to make flagging spam easier,” Boyd explained.
“Additionally, Microsoft accounts come with a wide range of protections to help prevent spam being sent by phished accounts. Backup email addresses, phone alerts and two factor verification are already available - the question is whether or not gamers are making use of these features. Given how popular stolen console accounts are on underground forums for everything from bragging rights to spam farms, it appears that they're not spending enough time locking everything down,” he added.
Andrew Conway, research analyst at messaging security firm Cloudmark, said that Microsoft should have been more proactive about tackling the spamming problem on its gaming platform, putting measures in place before the predictable problem actually reared its ugly head.
“Spammers will go anywhere there are enough people and a way to send messages to them and Microsoft should have been ready for this,” Conway commented. “In a closed system such as a gaming platform, where a single vendor controls access and message delivery for all users, spam control should be relatively easy.”
Conway speculated that there was a tension between making it easier for people to sign up for online gaming and placing obstacles in the way of account abuse.
“In order to grow their network, Microsoft has tried to make it as easy as possible to sign up for a free account – there must be a longstanding debate between Microsoft salespeople, who want to make is as easy as possible to sign up for accounts, and the security team, who want to make it difficult for spammers to sign up for multiple accounts.
"Of course, stopping free accounts from being used to send spam is only part of the solution. Much of the spam we see in the iMessage network comes from legitimate accounts where the password has been stolen in a phishing attack.
"To properly control spam from compromised accounts, Microsoft will have to implement either dual factor authentication or effective feedback based content filtering. Keeping spam under control in any large scale messaging system is a constant arms race,” he added. ®