Mush > Blog > Xbox Live Posts

Home

Blog

Phishing- what to look for, how to avoid and how to report

Thursday, August 7, 2008, 10:02 PM [Xbox Live]

I originally wrote this for Xbox.com and Xboxliveaddicts.co.uk, it's a very important topic that people should be aware of.....

If it looks like it's too good to be true it usually is...

We've all seen them, websites offering you free Microsoft points, games and even gamerscore leveling services (websites that offer to gain you more gamerscore by asking for your Xbox Live details, be it paid or unpaid). These websites are more than likely to be phishing websites and should be avoided at all costs.

Phishing- is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. It is a serious offence and is also known as Identity Theft.

These websites may look professional, they may even look like official websites such as Xbox.com, even going as far as using Xbox.com's graphics and sign in procedure, but they all have one thing in common to obtain your details for their own purposes. As with the case of Xbox Live related phishing websites, once they have got your details they can change your password on your Window's Live account, blocking you from access to it. Once this has happened you will also lose all access to your Xbox Live account too. Once they have access to your Xbox Live account they can use your credit card to buy Microsoft Points, as many as they wish, the only way to stop them buying more being that you cancel that credit card.

"Once the victim visits the website the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original address bar and opening a new one with the legitimate URL.

An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, although it is very difficult to spot without specialist knowledge. Just such a flaw was used in 2006 against PayPal."

It is not only websites that do this, emails look like they come from banks are frequently popping up in our email inboxes. If you see one of these follow the instructions here. Remember official banks and services will not ask for passwords or personal details in an email.

Another way these tricksters work is by asking you for your Xbox Live details over Xbox Live, they can be very clever and may ask you a series of questions, such as your age and when your birthday is, this will give them your date of birth, or they may ask what your pet's name is or your Mother's maiden name, secret answers that you may have used for your Window's Live account. If you suspect that someone is doing this report them.

So what can you do to avoid these?

Always keep an eye on the URL (web address) that you are visiting. Only visit websites you trust, as with the case of Xbox Live websites that ask you to log in with .net passports always check that in the bar to the left hand side at the bottom of your browser says "login.live.com" if anything else comes up then you are more than likely on one of these phishing websites. In fact the best way to avoid yourself being caught by one of these phishing websites is to not have your .net passport set as sign in automatically.

Never publicly announce your email address or real name on any forums. Search engines will pick these up and spammers then sell on your email address, then the spam will roll in your email in-box.

Never use any kind of gamerscore leveling service (be it through Xbox Live, a website or torrents), even if you think you know the person.

Install a phishing addon in your browser, such as this one.

Use the phishing filter in Internet Explorer to report websites which come up with a yellow or red warning. On the Internet Explorer 7 Tools menu, click Phishing Filter/ report this website.

There are also websites that are set up so that you can report phishing websites.

Remember- If it looks like it's too good to be true it usually is.