hackers on skype Why are Skype accounts getting hacked so easily? If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement. Share this story. Share this on Facebook Share this on Twitter. Share All sharing options for: Why are Skype accounts getting hacked so easily? If you've received a weird message on Skype with a link to Baidu or LinkedIn recently, you're not alone. In the past couple of weeks, I've received spam links to Baidu from six of my Skype contacts, one of whom works for Microsoft's PR agency and another is a former Microsoft employee. All were surprised to see their accounts breached, and some believed they were protected by Microsoft's two-factor authentication. That wasn't the case, though. A thread on Microsoft's Skype support forums reveals this has been occurring to hundreds of Skype users since at least August. Breached Skype accounts are used to send thousands of spam messages before they're locked and the owners have to regain access. Skype has fallen victim to similar attacks before, and hackers were able to spoof messages on the system last year after using lists of stolen usernames and passwords to gain access to accounts. Microsoft says there is no breach of Skype security. "Some Skype customers have reported their accounts being used to send spam," says a Microsoft spokesperson in a statement to The Verge . "There is no breach of Skype security, instead we believe criminals are using username and password combinations obtained illegally to see if they exist on Skype. We continue to take steps to harden the login process and recommend customers update their Skype account to a Microsoft account to benefit from added protections such as two-factor authentication." This year's attack appears to be growing in size, and Skype users might think they're protected by Microsoft's two-factor security, when in reality they're probably not. Microsoft offers the ability to link a Skype and Microsoft Account together to make sign-in and security easier. If you already enabled this months ago, it turns out that Microsoft has kept your original Skype account password separate so that it can still be used to access the service with a Skype username. If that password isn't secure or you used it elsewhere then hackers can use it to gain access to Skype, bypassing any two-factor authentication provided by Microsoft. Your Skype account might not be as secure as you think. I spoke to a Microsoft employee, on condition of anonymity, who had a Skype account breached recently. The Microsoft employee had used two-factor authentication, but hackers were able to log in using an old Skype username and password combination. I even tested this on my own personal accounts, and I was able to log into my Skype account with an old password despite linking it to my Microsoft Account months ago. I thought I was protected by Microsoft's two-factor authentication, but I wasn't. As if Skype isn't bad enough as an app, Microsoft has two separate login mechanisms. Great job pic.twitter.com/woN4HPsmP5 — Tom Warren (@tomwarren) November 5, 2016. It's a bizarre situation that highlights Microsoft's challenges of integrating Skype, while upgrading its aging infrastructure away from a peer-to-peer service. Microsoft had to patch a major flaw that left Skype accounts open to attack if you knew the associated email address back in 2012. It was an embarrassing security hole that was fixed the same day, but it knocked confidence in Microsoft's approach to securing Skype. The ability to bypass Microsoft's two-factor authentication is yet another dent in Skype's security. Despite this glaring hole, Microsoft has a fix, but it's not making it very clear to users who have already linked accounts or automatically fixing it for them. If you've already linked a Microsoft Account to Skype, then you'll need to "update" your Skype account to ensure it's fully merged over at Microsoft's account page. Here are the steps: Go to https://account.microsoft.com, if you're already signed in, sign out. Enter your Skype name, not your Microsoft Account email address, and use your Skype password to sign-in If you've linked your Microsoft Account previously, you'll be prompted to sign-in and merge the accounts to create a Skype alias. Secure your Skype and Microsoft Account immediately. Once the two accounts are properly merged, Microsoft creates a Skype alias to let you keep signing in with a Skype username. You can continue using this or disable it under the aliases preferences, to ensure nobody can try to sign in with your Skype username. Either way, you won't be able to use your old Skype password anymore, and attackers will have to know the email address associated with your account. This entire process seems messy, but it appears to be the best way to secure your Microsoft account. If you've already linked a Skype username then I would suggest doing this extra merge process immediately , to secure your account. If you haven't linked Skype and Microsoft Accounts at all, then you should be safe to link and merge with the new process. Don’t Skype and Type: Hackers Can Steal Your Password Through VoIP Calls. It seems like there is a never ending stream of new methods for hackers to steal our passwords. Between phishing emails, brute force password attacks, or a rise in VoIP protocol attacks — well, turns out that for a long time now, hackers have been able to figure out what you were typing on your keyboard, just by listening to the sounds it produces. In fact, just this year, a study came out diving deep into the world of Acoustic Eavesdropping. More specifically, the study titled “Don’t Skype & Type! Acoustic Eavesdropping in Voice-Over-IP!” took a close look at how the old concept of acoustic eavesdropping has adopted to become an even bigger threat in modern times. We were shocked to hear about this new method of attack, and wanted to take a close look at the study’s findings. So let’s dig in. The idea of Acoustic Eavesdropping isn’t something incredibly revolutionary. In fact, the study refers to a number of previous looks into the concept. Even back in 1943, Bell Telephone engineers discovered a similar phenomenon that is scarily similar to what attackers can do today, with modern technologies. But what exactly is Acoustic Eavesdropping? Well, the concept is pretty basic: Just by recording and analyzing the sound your keyboard makes, every time you press down a different key, someone can pinpoint exactly what you were typing. The reality is that every keyboard, and every individual key press, makes a distinct sound. Attackers can use these sounds to assemble an alphabet, and then decipher almost exactly what you were typing based off of that alphabet. A New Rising Threat With New Technologies. In the past, this was generally not a big concern — most techniques required too much information, or required attackers to have physical access to their victim’s device. For example, previous attempts at acoustic eavesdropping would require the attacker to place a microphone near the victim’s keyboard. So while Acoustic Eavesdropping has been a real threat for a long time, it has been fairly uncommon. The barriers to entry, if you will, are far too big for most attackers or hackers to bother with. Except the issue is now a compounding one: a lot of our devices have built-in microphones. Just about anything with a built in microphone like laptops, webcams and even tablets are probably the devices most at risk. So if your business is enacting a BYoD policy, this study might be of an interest to you. The bigger issue now, however, is the introduction and popularity of VoIP. We’ll touch upon that below. First, some definitions to understand what we’re discussing. Understanding The Language. Just as the study does, before we jump in to the details, it might help to define some key terms. Arvix’s study goes as far as explaining in depth attack models, and multiple profiling techniques. However, to keep it simple, we’re going to focus on just the crucial aspects we need to clear up. According to the study, the different users and aspects of an attack are as follows: The Attacker: Whomever is carrying out the attack, generally with malicious intent to gain information they otherwise do not have access to. The Victim: Self explanatory, but the victim is the one being attacked, and having their typing eavesdropped in on. Attack-Device: The attacker’s device. The study specifies devices as being desktop or laptop computers, and excluding smartphones and tablets. Target-Device: This is the device that the attacker is targeting. While the victim will be using this device, it of course doesn’t have to be their personal machine but could be a work device. Target-Text: The information the victim typed on their device, therefore the target information the attacker is searching for. Internet Connection: As we know, VoIP carries our voice data over the internet. This of course is important because its how VoIP works, but also because of how data is transmitted over the internet, its what makes Skype and Type attacks possible. Essentially, the attacker is “a malicious user who aims to learn some private information about the victim.” For the simplicity of this study, it is assumed the attacker and victim also will be using a genuine, unmodified or altered version of the same exact VoIP software. Specifically for this study, they looked at Skype, and extrapolated to Google Hangouts. But this could easily carry over into just about any other popular VoIP app. So, How’s It Even Work? In reality, Acoustic Eavesdropping — or the more modern Skype and Type attacks — are really complicated. We already understand the concept: the attacker records the sound the victim’s keyboard makes when they press a key while in a VoIP call. But the process is a bit more complicated than that. Collecting The Data. Overall, as we said before, these older style of attacks required the attacker to have physical access to the target-device. The attacker would have to simply place a microphone next to the victim’s keyboard, and record the keystrokes during a call. This, of course, could work even when they aren’t on a phone call. So, not everyone can get into your office, but lets say its your secretary that wants to find out some crucial information — they have easy access to your device and could simply hide a microphone under your stack of papers. So lets assume access is available, and they have your key strokes recorded. That’s the key factor here, once the attacker gains access they have free reign to collect data. Except, the data they are collecting isn’t legible text, as I said, its the sounds your keyboard makes when you press any button. Once an attacker collects all of this data and information, its not as if they will see sounds peaks and instantly know what key was pressed. So then what’s next? Making Sense of The Data. Well, after the attacker collect the victim’s keystroke data, the attacker would then need to utilize advanced analytical techniques to make sense of it all. This comes down science fiction sounding tech like “supervised or unsupervised machine learning” and “triangulation.” Pretty much, AI helps the attacker turn random key click sounds into a use-able string of information, for example that password you typed into your Gmail account to check your email while holding a normal conversation. You know, normal things normal people do everyday. Except, the AI alone doesn’t understand what a keystroke is, or know how to decipher typing from what are otherwise, generic clicking and clacking sounds. That’s where an extra step, and a layer of profiling, comes in. Complicated, But Serious Enough To Worry. As if physical access to the target-device, and powerful AI isn’t enough, the data an attacker gains would only be usable if compared to an existing database. If an attacker has access to an existing database of popular keyboards, and the sounds those keyboards make, they can match up the data they took from your phone call with the information they already know. Think of this as if they are cracking a code: your information is a series of ticks and clicks, but each tick and click corresponds directly to a key on a keyboard. If an attacker knows what sound the “A” key makes when pressed on a MacBook Pro keyboard, and the attacker knows their victim is using a MacBook Pro, they can fill in the pieces of the puzzle. Attacks Are More Successful Than You Think. This is a bit of a double-edged sword. On one hand, you would think this barrier alone, requiring a reference database, would be enough to stop most attacks. And you would be correct, technically most attacks are stopped. The study stated that without a database of key sounds to compare to, attackers could only guess keystrokes with 40% accuracy . So the majority is prevented, but lets be honest, 40% is still a pretty high number. The really scary part? When attackers DO have a reference database, that accuracy percentage shoots all the way up to 91.7%. So, when everything matches up, the system proves to be fairly accurate – but the wall to climb over to gain the necessary information was too tall. This whole process is known as “keystroke profiling,” and does become a bit more complicated than this, but overall the main concern should be to protect your keyboard specifically. New Style of Attacks – Remote Keyboard Autistic Eavesdropping. Except the whole premise of this paper is surrounding the discovery of an entirely new method of attack, one that is much easier to follow through. One that no longer requires physical access to the target-device, and a microphone or access into the device’s microphone. This new form of attack still falls under the same concept of acoustic eavesdropping, but its where the Skype and Type name comes from. Also referred to as Remote Keyboard Autistic Eavesdropping, this new form of acoustic eavesdropping is even more worry some for a few reasons: Attackers do not need physical access or control of the target-device. Skype and Type attacks will work with a more limited amount of keystroke data that previous attempts. These attacks leverage the exact VoIP software you are using, against you, again as opposed to an external microphone or sensor. This is not a security flaw, but rather exploiting how VoIP works. That’s the really scary part, that even without direct access to your machine, someone with malicious intent can simply use your own VoIP app against you. Now the biggest examples given are Skype and Google Hangouts, but this could easily translate to other popular solutions. So how does this new form of attack even work, without a microphone listening in on your keystrokes? Well, as I briefly explained above, the attacker simply uses the VoIP software against the victim. Again according to the study, “the attacker receives no additional acoustic information from the victim, besides what VoIP software transmits to the attack-device.” Instead of a microphone placed near the victim’s keyboard, the attacker is able to extract these tiny little key click sounds from the data transmitted by the VoIP app. So in reality, this is only an issue if the headset, IP desk phone or other useful Skype add-on devices you use for VoIP is sensitive enough to hear you pounding away at the keyboard. But, you’d be surprised by both how easy that is, and how much information can be extracted from such a tiny little sound. Simple Measures Can Go a Long Way. When it comes to internet security, I hold a strong stance that everyone should in some way practice safe browsing. Even if you’re on a Mac, or an iPhone, browsing your work email or the news. It can be much, much easier than you think for an attacker to find their way into your device, and leverage that control over you or your business in some way. The simplest security practices can really go a long way in securing your connection, or preventing unwanted eyes from prying into your crucial information. Even if your network is hidden by hundreds of hardware firewalls, a properly timed Skype and Type attack will render any defenses moot. In terms of preventing a Skype and Type attack, there are quite a few basic practices anyone could employ, along with some more advanced software protections. In general, if you are discussing some really crucial and sensitive information, you probably should not be sharing such information in un-encrypted Skype calls. That should at least be common sense. However, we are all human and it is easy to forget, or just not understand the severity of the threat. For starters, the simplest way to protect yourself from Remote Acoustic Eavesdropping would be: Simply, do not type on your physical keyboard while on a Skype or VoIP call. Simple as that. If you don’t type anything, the attacker doesn’t have any information to steal. If you need to be typing, utilize a software keyboard: most machines, Windows and Mac, allow users to display a virtual keyboard on their screen that require users to click on letters with their mouse. This simply prevents the keyboard sounds. If you need to be typing, but cannot utilize a software keyboard, mute your microphone when typing. This can generally be done through a soft mute button on the VoIP app, or an in-line mute button included on most headsets and desk phones. Prevent the need to type by logging into all of the crucial applications you will need prior to placing or receiving the call. Utilize a password manager that will automatically fill out your login forms. Password managers are a great tool overall for anyone trying to improve their password security, and allow you to log into services during a VoIP call without typing. This counter-measures would be the least invasive to your VoIP call in the end of the day. Less typing means less distractions, so its almost a win- win. However, its very easy for us to slip into a comfortable routine, or simply forget to mute our microphone, or hate having to click on a virtual keyboard. So for the more technical users, there are some advanced techniques that can be leveraged. Beyond securing your network and remote connections with a VPN, those would include: What is known as a “Ducking” technique – software, or by the user manually, could lower the microphone volume and when a keystroke is detected, even overlap your typing with a completely different sound. The problem with this however is that it requires not only a trained user to find, implement and utilize this solution, but it could easily degrade your call quality. What if the software muffles your important presentation, instead of key strokes? Another complicated technique to hide your keystrokes would be preforming “short random transformations” to the sound produced whenever a keystroke is detected. To put this simply, software would detect keystrokes and change the intensity and specific frequencies of the keystrokes. Essentially, the software changes the sound of the keystroke in transmission. So what the attacker receives is not the same sound your keyboard actually made. Don’t Skype and Type! At the end of the day, the easiest advice to follow to keep yourself, and information, safe is to just don’t type and Skype. Now, chances are that the average person will not have to worry about acoustic eavesdropping. In fact, the average user does not have to be very concerned with overall security. But it is a fact of reality that there are assailants out there trying to make money, or find a competitive edge, in anyway possible. Even if this means a simple ransomware attack of holding your crucial and sensitive business information hostage, demanding a pay out of a pretty large sum of cash. Not that everyone should start to panic and worry that their passwords are being stolen over the phone, but it is worth understanding the different methods of attack that exist and how to keep yourself safe. Hackers call on Skype to spread Trojan. The malware does not exploit flaws in Skype as such, as a computer worm might do, but spreads by tricking users into agreeing to run hostile code, which poses as a "cool program" from one of their contacts. F-Secure reports that two different and separate malware samples are using Skype as an attack vector. One malware sample - called "sp.exe" - attempts to link to a site called nsdf.no-ip.biz to download additional malware components. The other sample of malware, first detected at the beginning of October, attempts to download components from marx2.altervista.org. The websites used to download secondary malware samples have both been pulled since the attack was detected earlier this week. Although the immediate threats posed by these Skype Trojan attacks is therefore minimal, the assault serves to illustrate the changing attack vectors (in this case a VoIP client) that hackers are turning to as an alternative to the well-known risks of malware in email or harboured on maliciously-constructed websites. ® Other stories you might like. Dell SecureAssist contained RCE flaw allowing miscreants to remotely reflash your BIOS with code of their creation. A chain of four vulnerabilities in Dell's SupportAssist remote firmware update utility could let malicious people run arbitrary code in no fewer than 129 different PCs and laptops models – while impersonating Dell to remotely upload a tampered BIOS. A remote BIOS reflasher built into a pre-installed Dell support tool, SupportAssist, would accept "any valid wildcard certificate" from a pre- defined list of certificate authorities, giving attackers a vital foothold deep inside targeted machines – though Dell insists the exploit is only viable if a logged-in user runs the SupportAssist utility and in combination with a man-in-the-middle attack. Consisting of four daisy-chained flaws, the vulns have a combined CVSSv3.1 score of 8.1 and allow remote code execution at an early stage of booting a vulnerable system by authenticated attackers. Updates for SupportAssist are available from Dell to mitigate the vulns, which infosec firm Eclypsium reckons affect about 30 million laptops and PCs. Deutsche Bank stuffs Oracle systems in on-prem cloud while Google scoops lion's share of white fluffy workloads. Deutsche Bank is to migrate all its Oracle systems onto a single instance of Big Red's on-prem cloud. The German financial services giant, which achieved net revenue of €24bn in 2020, said it would upgrade its existing database systems and migrate the bulk of its Oracle database estate to Oracle Exadata Cloud@Customer, an on-premises deployment option of the Oracle Exadata Cloud Service. Launched last year, the on-prem cloud from Larry Ellison's software juggernaut was criticised for requiring at least a $6m financial commitment to get customers on board. Tax check tool CEST is the pits, say UK contractor consultancies as latest HMRC usage stats are published. The UK tax collector’s controversial Check Employment Status Tool used by contractors to determine their IR35 status returned inconclusive responses for one in five of the million plus times it was called upon in 16 months. As confirmed by the latest statistics from Her Majesty’s Revenue and Customs department today, CEST was deployed 1,018,250 times between November 2019 and May 2021: almost half of the delivered results show the freelancers were deemed to be operating inside IR35, a little over 300,000 were outside, and in 210,100 cases it was inconclusive. Specialist tax contractor Qdos said the findings were shocking. “I’m astonished that the government still stands by an IR35 tool that hasn’t been able to make up its mind over 210,000 times,” said CEO Seb Maley. Backbench Tory campaigner promises judicial review of data grab of English GP patients unless UK government changes tack. A judicial review will inevitability challenge the UK government's plans to extract millions of sensitive medical records held on GP systems in England, according to a high-profile backbench Conservative MP. Speaking in Parliament last night, David Davis said that if privacy campaigners' concerns over the government's plans for General Practice Data for Planning and Research (GPDPR) were not addressed, they would seek a formal process to stop it. "If the government does not take corrective action to address our concerns, there will inevitably be a full judicial review," he told MPs. Pull your Western Digital My Book Live NAS off the internet now if you value your files. Western Digital has alerted customers to a critical bug on its My Book Live storage drives, warning them to disconnect the devices from the internet to protect the units from being remotely wiped. In an advisory, the storage firm said My Book Live and My Book Live Duo devices were being "compromised through exploitation of a remote command execution vulnerability" CVE-2018-18472. The exploit is described as a root remote command execution bug which can be triggered by anyone who knows the IP address of the affected device – and is currently being "exploited in the wild in June 2021 for factory reset commands." Bug at payments processor WorldPay swipes £2k+ per ride ticket from Brighton Pier revellers. Hundreds of visitors to Brighton Pier have been left thousands of pounds out of pocket after a Worldpay payment snafu left them less than amused. Frolickers at the famous pier looking for some traditional bucket-and-spade seaside fun were charged more than £2,000 a pop for ride tickets after vendor WorldPay systems mistakenly used the transaction date to debit payments. The issue came to light when visitors on 18 April 2021 began complaining they had been charged £2,104.18. Usually tickets are £25 for adults and £13 for kids for unlimited rides for the day. UK competition watchdog launches investigation into fake review epidemic across Google and Amazon. Google and Amazon are waiting to hear about their own five-star rating today after the UK's competition regulator announced it had opened a formal investigation into fake reviews on their platforms. The Competition and Markets Authority (CMA) wants to know whether the online beasts have broken consumer law by taking "insufficient action to protect shoppers from fake reviews." The move comes after an initial CMA investigation last May to figure out whether Google and Amazon have the right checks in place to handle this type of consumer fraud. Register job ads: Devs wanted in Newcastle, opportunities for penguins in Warrington. Job Alert The Register is publishing free job ads to help keep tech professionals in gainful employment during these challenging times. If you're in the IT sector or trying to hire techies, send your job opportunities to us here and we'll promote them for free. For those hunting new opportunities, you can get alerts whenever we post new openings here. The phantom of the Opera is here. unveil R5 (just don't let the boss see) Browser veteran Opera has taken a break from selling fintech to issue an update codenamed "R5" to its desktop browser - complete with consumer-friendly music streaming and video-calling features. The update from the Oslo-based biz includes messaging features, while video-calling tweaks are aimed at keeping Opera users inside the browser, rather than wandering off to use Chrome or Edge. A pop-out component in the new browser will "pop" video out of a given tab and keep it on top of all other tabs: handy for users having a crafty browse during those interminable Zoom and Google Meet sessions. Or, as Opera delicately put it, users sometimes get "distracted" and then struggle to find the right tab. A red bar is also placed on the active tab for ease of navigation along with tab-searching for the tab-hoarders among its users. Will containers kill VMs? There are no winners in this debate. Register Debate Reg readers have a reputation as never being short of an opinion. So, it is with more than a little surprise that we must declare our latest debate, on the motion Containers will kill Virtual Machines, was a tie! 1,142 of you voted in the debate, and the vote was split right down the line. Shareholders give Toshiba chairman the boot following foreign investor voting scandal. Toshiba shareholders voted to oust chairman Osamu Nagayama and a member of the company's audit committee, Nobuyuki Kobayashi, during their annual general meeting. Nagayama was at the helm during a recent scandal in which an activist investor alleged that Toshiba's execs had conspired with the Japanese government to pressure shareholders to vote in a way that would minimise the influence of activist foreign investors at last year's general meeting. An independent investigation [PDF], called by Singaporean fund management company Effissimo, alleged that Toshiba and the Ministry of Economy, Trade and Industry had attempted to prevent submission of proposals and votes from activist shareholders.