For the past three weeks or so, complaints have been trickling in that some Skype accounts are messaging diet pill and pornographic spam to their contacts. It’s not clear how many are affected, although the complaint thread is now 24 pages long. Now, Microsoft is asking users to change their passwords, although there’s still some ambiguity on the original cause of the issue.
— Simon Harris (@simonrharris) July 19, 2015
When is Spam Not Just Spam?
Normally, when you get spam from a friend’s account on any messaging platform, it’s because a malicious third party got access to the account, either by guessing the password or by using malware to steal the information from the user’s computer. In these cases, the correct answer is to alert the friend and have them change their password (if you are the inadvertent spammer, it’s steps can be taken to resolve this).
If a bunch of these cases start to pop up simultaneously, that’s an indication that there may be a broader, systemic problem at work. In other words, the platform itself may have a security flaw that allows attackers to steal login credentials. For example, if attackers gained access to the master list of password hashes from Skype’s servers, it’d be relatively easy to begin cracking those hashes. That would give access to millions of accounts with easily guessable passwords. If that is indeed what happened, then – again – changing your password is the right answer. However, this also requires action from Skype to address their internal security vulnerabilities.
However, there’s some reason to believe that this isn’t the case. In the original complaint, the user mentioned that the compromised Skype contact looked back through his Skype history and couldn’t find the origin of the messages, indicating that they might have been “spoofed” – in other words, the spam might be due to a flaw in the Skype client’s ability to tell who messages are originating from, rather than an actual breach of password information. If so, that’s alarming – and changing password information won’t help.
In the thread, a Skype Community Manager, “Claudius” suggests,
“It could be that the malicious software that sends out the spam (but hasn’t been detected by malwarebytes or antivirus yet as it in itself doesn’t do anything malicious apart from spamming Skype) is actually using the Skype Desktop API to send out the IM spam.”
However, this seems to run counter to user reports of computers sending spam when the machine is turned off – and affected users don’t report seeing an entry in the Skype Desktop API access list. It also seems unlikely that none of the available anti-malware resources would see anything. In response to this, “Claudius” changed the official explanation to this:
“Sorry it has taken us a few days to get back to you while we investigate the spam issue some of you have experienced. Our investigation indicates that cybercriminals are using an automated technique to exploit weak or re-used passwords. We have taken steps to address the issue and will continue doing so while we monitor the situation.
We encourage our users to use strong password and have some more information and help at https://www.microsoft.com/security/pc-security/password-checker.aspx. Also, if you are continuing to experience spam issues, please change your password and you should see spam taper off in 24 hrs.”
This explanation raises more questions than it answers. A number of users report using strong passwords that were breached anyway. Others report spam continuing despite changing their passwords.
This also doesn’t explain the sudden increase in these issues. It’s pretty safe to assume that pretty much any widely used piece of software is under attack from spammers pretty much all the time. So what changed here, to cause such a spike in reports of compromised accounts? A quick search of Twitter, plus the length of the thread, seems to indicate that this is not a few isolated incidents.
the fact that whoever hacked me messaged every single one of my skype friends and only one person told me about it is rude to say the least
— harriet the human (@harrietthehuman) July 21, 2015
Is Skype Secure?
We know that Skype’s developers both prior to, and after Microsoft’s purchase, have put a lot of effort into enabling you to control privacy on Skype mobile and desktop versions. So it is safe to say that managing this situation is a priority for Microsoft, with Skype one of its crown jewels.
However, it’s not entirely clear what’s going on with these spam attacks. It’s possible that Microsoft is correct, and this is not a Skype problem. However, this requires a fair number of users to be mistaken or dishonest, which seems at least a little unlikely. If there is a more fundamental security vulnerability within Skype itself, then the current issues could be the tip of the iceberg. For now, reports of spam continue. Hopefully, more information from Microsoft will be forthcoming.
Have you been affected by this issue? Are you upset by Microsoft’s response to it? Let us know in the comments!
Image Credits: Spam via Shutterstock