Forged messages in Skype Chat (resolved!)

When I logged into Skype this morning, I received a message from an old colleague/friend I still occassionally chat/lunch with:

...] xxxxxx: http://goo.gl/3RVgvc?32017=[myusername]

Now, obviously I would never click on this (please don’t click on it either!), as it immediately rings several alarm bells. A quick investigation with a URL expander proved my suspicions: it leads to referral spam/survey website.

What struck me as odd, was that this friend ‘knows his stuff’ and would never let himself be tricked into participating in these scams, click on random links, fall victim to trojans/malware, etc.

As soon as he came online, I pointed out out that there might be something wrong with his Skype account. He immediately jumped to action and quickly determined that his system was squeaky clean. Even more importantly, his computer was, in fact, turned off at the time of this message. This left us with three options:

  1. Maybe his Skype-account had been brute-forced? This seemed extremely unlikely, as he uses a randomly generated strong password (everyone should)
  2. LastPass had been compromised. This was also exceedingly unlikely, as this would require an additional strong password and posssession of his Yubikey… (really, he knows his stuff ;))
  3. So, that left us wondering if something was up with Skype…?

He contacted Skype support and the transcript(*) was interesting, to say the least:

 Arlene Joy R: at 8:52:14 - Well actually, no one hacked your account
 Arlene Joy R: at 8:52:27 - Thank you for bringing this to our
                            attention
 Arlene Joy R: at 8:52:49 - we are actually aware of this concern,
                            where links are sent to all of your
                            contacts
 Arlene Joy R: at 8:52:57 - this is the spam virus
 Arlene Joy R: at 8:53:17 - Let me assure you that Skype is already 
                            on top of this situation and we’re doing
                            the best we can to rectify this.
 You:          at 8:53:15 - sorry my computer was turned off at time
                            of spreading
 You:          at 8:53:30 - how can the computer sent links if it
                            is turned off and nobody has my
                            password?
 Arlene Joy R: at 8:54:04 - yes that is correct there are cases that
                            it was sent even if you are not logged
                            in on your computer

This was followed by the Skype Support Engineer giving instructions to unlink all applications to Skype(**), wiping all of Skype’s application and temporary files and the chat history.

Update 1: another friend also reported receiving the same message.

So, does anyone have an idea what’s going on?

Update 2: a Microsoft/Skype engineer contacted me to figure out what was going on.

Apparently this is a known issue with Skype accounts that might have been linked to e.g. old Hotmail-accounts, or a disconnect (no synchronization) between an old Skype password and an MSA password. In short, if your password to one of these old accounts is compromised, it can also be used to login to Skype. Yes, you read that correctly: you can have multiple working passwords for one Skype account/username!

Thanks to Microsoft for contacting me about this. I’m not sure how I feel about the principal possibility to have multiple working passwords for a single Skype account, but at least it’s good to know how to mitigate this issue if you’ve been affected.

TL;DR: If you’ve used Skype for many years, it might be linked to old Microsoft accounts (e.g. Hotmail): make sure you are using strong passwords for those old accounts to prevent malicious logins on Skype as well.

(*) transcripts were cleaned up and reformatted for legibility
(**) Messenger+/MirandaNG: only worked locally and weren’t compromised either

This entry was posted in DHCP. Bookmark the permalink.