You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room, but how do you protect a company from the threat of social engineering attacks?
For any of you that are involved in security awareness efforts, you know what I am talking about. It could happen tomorrow, it could happen today or it might already have happened.
In a recent disclosure posted by renowned hacker and developer DarkCoderSc (Jean-Pierre LESUEUR) explained that how one can easily Socially Engineer Microsoft Skype Support team to get access to any skype account.
From a social engineering perspective, employees are the weak link in the chain of security measures in place. He simply used the weakness of Skype password recovery system itself.
One simply need to request a new password to Skype support and asking to change the password. After the initial step one needs to proof the real ownership of the account requested. You must give 5 contacts accounts to the support desk.
“That’s easy because you just have to add 5 fake temporary accounts to the target account and its done. Another option is to simply ask the target what people he know on Skype. That option wasn’t that hard because I have over 1000 contacts.” he suggests the trick.
Within few seconds attacker can become owner of any victim account by proving very basic information to support team.
“Also Microsoft’s Support Team should make a serious effort to communicate better to their customers. At the moment they do not seem to care that much about their customers.“