The Verge is reporting that hackers are targeting and have successfully compromised the Xbox Live accounts of high profile Microsoft employees past and present. It appears that the social engineering attack was accomplished using a technique called chaining or stringing, or as we call it, a multi-tiered social engineering attack. A multi-tiered social engineering attack works like this:

  1. Attacker has [xyz] info
  2. Attacker uses [xyz] to socially engineer Company A into giving [abc] info
  3. Attacker uses [abc] to socially engineer Company B into giving [mno] info
  4. Attacker uses [xyz], [abc], and [mno] info to gain access to account in Company C

According to Brian Krebs from KrebsOnSecurity.com, the Xbox live attack worked like this:

Hackers used http://ssndob.ru to obtained SSN info on Microsoft employees working on the Xbox Live platform. The hackers then called phone companies, used the SSNs to have calls redirected. Then they called Xbox Live to call their number on file (which got redirected from the phone company to the hacker’s phones) to verify their account info. Once verification was made, the account password was reset and the hackers had access to the Xbox Live accounts. Brilliant.

We reported on this type of attack on August 7th, 2012 when Mat Honan’s iCloud account was hacked and his entire digital life destroyed. It appears the same hacker, known as “Phobia” may be responsible for both multi-tiered social engineering attacks. In addition, Ars Technia is reporting that Phobia may also be responsible for the denial of service attack launched against the Ars site, also discovered by Brian Krebs.

In a statement to The Verge, Microsoft acknowledged that “a handful of high-profile Xbox LIVE accounts held by current and former Microsoft employees” had been compromised. Microsoft then went on to release a statement regarding this incident.

“We are aware that a group of attackers are using several stringed social engineering techniques to compromise the accounts of a handful of high-profile Xbox LIVE accounts held by current and former Microsoft employees. We are actively working with law enforcement and other affected companies to disable this current method of attack and prevent its further use. Security is of critical importance to us and we are working every day to bring new forms of protection to our members.”

“Microsoft does not collect or use Social Security numbers in its services, including Xbox LIVE Gamertags or Microsoft accounts. Attackers are targeting high-profile Microsoft employees by social engineering other companies that do use this data to intercept security proofs from Microsoft to compromise the accounts.”

Multi-tiered social engineering attacks are growing in popularity and being executed with devastating results. As companies begin to understand social engineering attacks and they implement security procedures applicable for their own companies, thought needs to be placed in the larger global context. What if [xyz] data is obtained nefariously from outside our organization, are our security protocols sufficient? These vectors are just now beginning to permeate the thoughts of security professionals and organizations tasked to protect our data and, often, our digital lives.