Microsoft refunding victims of Xbox Live phishing scam

Microsoft is giving refunds to the UK victims of a phishing scam that has affected a number of Xbox Live accounts. The Guardian reports that Microsoft claims to be working with the victims of the attacks which try to gain access to the credit card accounts of specific Xbox Live customers. In a statement, Microsoft said, " .... we are contacted by members regarding alleged unauthorized access to their accounts by outside individuals. We can confirm that only a small percentage of Xbox Live customers have been affected here in the UK."

The scam was covered by the UK tabloid newspaper The Sun earlier this week and was covered by Neowin previous to that report. The Sun story also implied that the Xbox Live service itself was the victim of a cyber attack but Microsoft immediately said that was not the case and that the Xbox Live service for the Xbox 360 console was still secure. Microsoft also said today that there is currently no evidence that any personal customer information was released or sold to other groups as a result of these phishing scams.

The Guardian claims that the source of the Xbox Live phishing scam comes from China or Russia, rather than well known hacker organizations such as Anonymous. Microsoft has said that less than a million of its Xbox Live users have been affected by this latest attempt to gain access to user accounts.

The source does not make it clear if Microsoft is refunding victims in only the UK or if they are refunding all victims of this phishing scam. 

Report a problem with article
Previous Story

Droid 4 leaked; may be released on December 8

Next Story

Black Friday sales ending; Cyber Monday sales starting

27 Comments

Commenting is disabled on this article.

Yesterday, my account was compromised, e-mail account changed, and billed 10,000 MS points using my linked CC. Microsoft is investigating it and I am sure it will be resolved. However, I believe Microsoft is sweeping something under the rug. In early November, my co-worker told me his accounted was hacked, as 6,000 points were added to his account. And the day before Thanksgiving my friend had a similar problem, with someone using his points to buy FIFA DLC (he doesn't even own FIFA). These two guys are very tech-oriented people, but even still, I thought maybe they just clicked a bad link, or shared a common-link between forum names/passwords. That was, until today - when MY account became compromised.

Microsoft claims there was no security issue, and these victims are just falling for phishing attempts.

For a little background: I am an IT administrator at a 100+ user company. I have my CCNA, Comp TIA - A+ Hardware, MCITP, and more. My email account used for my XBox Live account is solely used for Xbox Live. I have never used it anywhere else. My password was over 10 characters long, including uppercase, lowercase, and numbers. I did not, and would not fall for any phishing attempt. I have had the same XBox Live account since the original Xbox and never as much as a blip with problems.

The influx of Xbox Live users that this occurred to recently seem to be tech savvy people like myself. I do not accept Microsoft's response as simple 'phishing.' There has to be more going on here. I want a better official response from MS. And until then, I advise you all to change your xbox live/windows live ID password.

Well just to let you all know I was victim of the Fifa 12 hack and had £50 of points purchased on my account. Ive had my account locked for 2 months, waited 30days for the investigation to hear if i would even get my money back.

They gave me 2 months free live and told me it would be up to 10days for the payment to be processed, and upto 30 days for it to appear on my statement.

Guess what, on 3rd of December the 30days for it to show on my statement are up! Ive phoned twice to ask why this is taking the time it should and even checked with my bank in case of any issue in payments coming in. All Ive been told is to be patient and ring back on 3rd of December if no money is in my account from them by then.

So what then? Another 40 day period in which they are going to pay me?

Im disgusted by there service, as ive never entered my account details anywhere outisde of Live and in fact I set it up via my xbox. So this phishing crap is exactly that!

They need to own up and stop trying to mitigate damage.

i wont be using any Live functions on my Xbox from now on as tbh 40days to get back what is rightly mine is beyond a joke.

Yes, someone gained accessed to my account on Sunday gone. They bought 5 * 2000 MS points using my card and bought a bunch of Mortal Kombat games and Fight Night. I am still not sure how they've done it, but this is definitely unrelated to a phishing scam as I am not thick enough to fall for one.

foodan said,
Yes, someone gained accessed to my account on Sunday gone. They bought 5 * 2000 MS points using my card and bought a bunch of Mortal Kombat games and Fight Night. I am still not sure how they've done it, but this is definitely unrelated to a phishing scam as I am not thick enough to fall for one.

Do you use the same login info on other sites? If people think they haven't fallen for a phishing scam then maybe their info was taken from some other website they use it on. If you have a chunk of login data from some source then it's worth trying it on lots of different sites to see what sticks.

Personally i would not lose time looking for that.

When my battle.net account was hacked (and i mean the word hacked here) i tried to understand what just happened. Of course Blizzard fanboys on forum told me it was phishing. Then i told them i was a computer engineer and never did enter my account informations outside of the game login screen of after typing http://www.worldofwarcraft.com in the adress bar of my browser.

Then it was not phishing anymore but a keylogger. Told then i had bitdefender running as a background process on my computer scanning for potentiel threat. Did 2 full scans of my machine (Bitdefender and MS security essential) and nothing was detected. All my running process was legit also. It's also almost impossible for me to have a virus or keylogger on this machine as my gaming machine is also my work machine and i never visit unsecure websites on this machine and never use a CD or USB key coming from someone else computer (this machine is vital for my work so i don't mess with it i have another computer for that).

It also worth mentionning that the log of my router did not show any suspicious activities on my end the day before the hack.

Then it was my email account that was compromised and the hacker used it to retrieve my password. Loged in my email acount and no suspicous activities there too. The access log of the account did show the account was accessed from my ip only the week before the hack.

So after 5-6 hours i decided to give up and install the battle.net authenticator ipod app. But there's one thing i noticed and it's that it takes A LOT OF failed login attempts before Blizzard block an account (maybe Blizzard doesn't even block it I did not go far enough to know it). Things maybe have changed since then but i did 10 failed loging attempts and my account was still not frozen. To me that's not really secure ...

Now i'm not saying those illegal xbox live access are not done by a phishing scam. But i'll definately not blindly believe MS here. To me it looks like there's far too much illegal access to be all from a stupid phishing scam specially since the average xbox live user is young and knowledgeable about things like that.

MS could improve the security of xbox live by asking for the 3 digits security code and maybe by adding an authenticator app like Blizzard did too.

Also one last thing someone in this topic said

This. The general populace is and will always remain stupid

I would say someone who blindly believe a big corporation like MS (or apple or google or Nintento or Sony, name it) doesn't really show a higher level of intelligence ...

foodan said,
Yes, someone gained accessed to my account on Sunday gone. They bought 5 * 2000 MS points using my card and bought a bunch of Mortal Kombat games and Fight Night. I am still not sure how they've done it, but this is definitely unrelated to a phishing scam as I am not thick enough to fall for one.

1) Thinking you are above being fooled, is the first sign that you are a good target.
2) It doesn't have to be phishing for every one that was harmed, but if legitimate phishing scams are running, the majority of people are often getting ripped off this way.
3) There are numerous ways to gain access to your account, from idiots in team talk trading logins and passwords (which happens).
4) The reason MS points are good to use them on, is that people use it as currency that is outside the traditional government and banking systems, that would raise flags and international flags of trade
5) The nature of credit cards themselves have patterns and can be 'guessed', and once found valid, obtain the user's zip code and other identifying information that is shared 'publically' as the 'last four digits' of your CC Number is often not stored securely by anyone.


The point is, it could be FIFA, several different phishing scams, and also people that picking random credit card numbers out of the air, and using a hacked databases to fill in the missing information of identity for that credit card number that was literally randomly generated...

Microsoft is taking the hit, and doing what they can, but their servers haven't been broken into, and they do know where to fight this. (Notice they are ones taking down some of the biggest scam and hacker related operations around the world.) They are also not Sony running horribly outdated OSes with aged security and flawed security policies. Yet, ironically, Sony seems to get more of a 'pass' with users harmed by their negligence than Microsoft does by people not harmed by them...

foodan said,
Yes, someone gained accessed to my account on Sunday gone. They bought 5 * 2000 MS points using my card and bought a bunch of Mortal Kombat games and Fight Night. I am still not sure how they've done it, but this is definitely unrelated to a phishing scam as I am not thick enough to fall for one.
I just got off the phone with them, Someone bought a bunch of points and a subscription using my credit card. I previously had a silver account and switched back to gold when microsoft themselves offered the 33% off deal. Thats the only reason my card was put on the console. They will be giving me a refund too.

Exactly, its NOT just the UK either, I got hit with this back in September, the only EA games I have ever played on my XBOX is Mass Effect 2 and Dragon Age, so its NOT FIFA related. Also I'm leaning towards it being a Russian outfit doing this because the first thing they did before they started making charges on my CC was migrate the account to Russia. Then they made several "Point Purchases" and then they used those "Points" to buy Call of Duty and a bunch of its DLC. (how that profits them is a mystery to me)

Luckily I caught the problem within 48hrs of it starting, and MS did refund the charges on my CC almost immediately, however my account is STILL in Limbo, and STILL in Russian. So while I'm happy the charges got refunded quickly, I'm a little ****ed off that they cant simply remigrate my account back to me and remove the items from it that I didn't purchase.

Once again. This is not a phishing scam. Microsoft doesn't know what is going on so they're just saying it's phishing going on when it's really something more.

matt4pack said,
Once again. This is not a phishing scam. Microsoft doesn't know what is going on so they're just saying it's phishing going on when it's really something more.

Yeah, aliens are invading. /PalmToFace

If it is in fact from phishing why is MS responsible for other peoples stupidity? Do gun makers have to refund people for shooting themselves in the foot?

Colin McGregor said,
If it is in fact from phishing why is MS responsible for other peoples stupidity? Do gun makers have to refund people for shooting themselves in the foot?

This. The general populace is and will always remain stupid.

Colin McGregor said,
If it is in fact from phishing why is MS responsible for other peoples stupidity? Do gun makers have to refund people for shooting themselves in the foot?

+1

Colin McGregor said,
If it is in fact from phishing why is MS responsible for other peoples stupidity? Do gun makers have to refund people for shooting themselves in the foot?

I'm still not convinced it's phishing and i'll never be. My battle.net account got hacked and blizzard told me it was phishing and i can guarantee you the account was not compromised from my side.

MS could improve the security of XBox live by asking for the 3 digits security code when people buy things using the stored CC informations.

This code is really easy to memorize and it doesn't take too much time to write it even using the xbox 360 remote.

Glad they're getting their money back. I may have unlinked my credit card if they didn't budge. It'd basically say that you take all the risk with your account. I've heard a lot of the people who got hacked had played FIFA. Maybe there's a breach on EA's side?

It's easy to criticise The Sun but I bet Microsoft wouldn't have started doing this so soon (though I know it's been going on for a while) if they hadn't run the story on their front page last week.

what said,
It's easy to criticise The Sun but I bet Microsoft wouldn't have started doing this so soon (though I know it's been going on for a while) if they hadn't run the story on their front page last week.

But if Microsoft weren't to blame, why should they have to hand a penny out? I'd even go as far as to say that the story in the Sun verges on libellous if they claim it was Microsoft's fault.

Majesticmerc said,

But if Microsoft weren't to blame, why should they have to hand a penny out? I'd even go as far as to say that the story in the Sun verges on libellous if they claim it was Microsoft's fault.


It's a gesture to show that Microsoft cares for its customers even if the company is not at fault.

day2die said,

It's a gesture to show that Microsoft cares for its customers even if the company is not at fault.

Agreed, but the only way you can combat stupid is to hold them responsible for their actions... Bailing them out constantly only serves to further acts of stupidity...

M_Lyons10 said,

Agreed, but the only way you can combat stupid is to hold them responsible for their actions... Bailing them out constantly only serves to further acts of stupidity...

That's just not how it works. I am sure people who have fallen victims of those scams did not do so on purpose. It's only right for Microsoft to refund those people just like a bank would if your card gets cloned or fraudulent charges are made. If, subsequently, Microsoft chooses to pursue those scammers, it would be their choice. Anyway, they are better positioned due greater legal and financial might.

Majesticmerc said,

But if Microsoft weren't to blame, why should they have to hand a penny out? I'd even go as far as to say that the story in the Sun verges on libellous if they claim it was Microsoft's fault.

Actually if XBox live would ask for the 3 digits security code people having illegal access to a xbox live account would not be able to buy things using the stored cc informations.

A lot of online stores ask for this 3 digits code.

what said,
It's easy to criticise The Sun but I bet Microsoft wouldn't have started doing this so soon (though I know it's been going on for a while) if they hadn't run the story on their front page last week.

Microsoft is generally quite quick to jump on things like this because it gives them good publicity, if it doesn't cost them too much.

Minimoose said,

Microsoft is generally quite quick to jump on things like this because it gives them good publicity, if it doesn't cost them too much.

Really for publicity? The company that has had horrid publicity and some of the worst PR in the industry?

Ya, that is what they are known for...

Just like the NoDo update, where they jumped on the chance to explain that it wasn't their fault to gain 'good' publicity... Oh wait, they kept their mouths shut, and took the fall for the update, when they had NOTHING to do with it whatsoever...

If you think Microsoft's ethics are for publicity, you are have them mixed up with Apple, Google, or Sony that live and die by public opinion and polls.