About an hour ago I got a message from a friend that my Skype account has sent a suspicious-looking link to Baidu. As I wasn't signed into Skype, and I only use Skype a few times a year (when scheduled via e-mail), that sounded strange. But it was true - after logging in into Skype, I was greeted by an "unread messages" count of a few dozen. And that was doubly strange as, since I don't use Skype that often, my Skype contact list is very short - maybe 10-15 persons, max.
If you are one of those people who have received a Baidu link from me, I hope you've been suspicious enough not to click it. Generally, please don't click on strange links which you have not previously requested, anywhere, from anyone.
After reviewing "recent activities" on the Microsoft Live platform (because Microsoft bought Skype and made it shittier, and half-integrated the products), it looked like there was a suspicious login from an IP address that the platform recognized as being located in Cambodia. So, it looks like my password was possibly brute-forced from Cambodia, then a hacking client has logged in with the brute-forced password and sent spam messages. This spam was a link which was basically disguised as coming from Baidu. But that's not all: BEFORE sending all this spam, the hacking client has somehow added a few hundred people from my Google contacts to my Skype contacts - including some very recent people.
That's the real issue: how did my Google contacts end up in Skype? I don't think it's a sophisticated enough attack that it could browser-scrape contacts, so it seems like it should happen in server-to-server communication between Microsoft Live and Google. I had 2FA on Google but I've only just added it to Microsoft Live. I'm not sure if there's some kind of "Import contacts from Google" option in Microsoft Live, but even if there is, I sure haven't used it in years, and probably never, and still there were few very recent Google contacts there.
Update: just got another idea from a friend: this could have happened through the phone apps, if the Skype app has access to Google Contacts. Which I've now checked and it does - naughty Skype! Bad!
Skype's user interface is atrocious:
- I've found out that Skype has sent a bunch of messages to people who had not yet accepted the (hacked) contact request. This means that people I have no intention to contact via Skype have received spam messages from my account without even accepting the contact request. Why is this possible?
- Because this attack has added hundreds of people to my Skype contact list, I now had to go manually through each of them and notify the people not to click on the links.
- Skype does not allow multiple-select on contacts or conversations, so I had to right-click every single one, and choose "Remove from Contacts" or "Hide conversation" from the pop-up menu. This is so sad.
All this has reminded me why, still, in 2017., I still avoid both Skype and Microsoft's products.
So to summarise, what to do about such vulnerabilities? At least the following things:
- Turn on Two Factor Authentication (2FA) in Microsoft Live
- On Android phones, go to Settings, App permissions, and remove permissions from as many apps as possible, especially from the Contacts category.
While this doesn't guarantee you won't be hacked in a different way, at least it prevents one way of doing it and minimizes the damage such a hack can do.
Here's an insightful link another friend has sent me about Skype's security. Very much worth reading!