For any of you that are involved in security awareness efforts, you know what I am talking about. It could happen tomorrow, it could happen today or it might already have happened.
In a recent disclosure posted by renowned hacker and developer DarkCoderSc (Jean-Pierre LESUEUR) explained that how one can easily Socially Engineer Microsoft Skype Support team to get access to any skype account.
From a social engineering perspective, employees are the weak link in the chain of security measures in place. He simply used the weakness of Skype password recovery system itself.
One simply need to request a new password to Skype support and asking to change the password. After the initial step one needs to proof the real ownership of the account requested. You must give 5 contacts accounts to the support desk.
"That's easy because you just have to add 5 fake temporary accounts to the target account and its done. Another option is to simply ask the target what people he know on Skype. That option wasn't that hard because I have over 1000 contacts." he suggests the trick.
Within few seconds attacker can become owner of any victim account by proving very basic information to support team.
"Also Microsoft's Support Team should make a serious effort to communicate better to their customers. At the moment they do not seem to care that much about their customers."
Social engineering is the act of manipulating a person into gaining access or sensitive data by preying on basic human psychology. Still, There is no patch for human stupidity!
