[Updated] New round of fraud, phishing appearing on Xbox Live, Paypal accounts

Dec
26

[Updated] New round of fraud, phishing appearing on Xbox Live, Paypal accounts

A new round of phishing attacks and unauthorized Paypal charges is affecting Xbox 360 users this morning, and one of our readers has offered to share his story with the hope that others can prevent the situation from happening to them.

This morning, when @BigMastadon woke up, he noticed $241 of unauthorized charges to his Paypal account, which is linked as a form of payment to his Xbox Live account. Immediately he called Paypal to dispute the charges, and tells us “the rep at Paypal said he’s received 19 calls today within an hour” regarding the same issue. In an email to VGW, he recounted his phone call on the Microsoft side of the fence:

When I spoke with the Microsoft agent, he noticed the charges and didn’t even question me about them.  Immediately he recognized the fraud and sent it on to the investigation team. He described the situation as someone recovering the account and purchasing all the Microsoft Points shown. Then they purchase the Gold Family pack so they can transfer the points to another Gamertag on their console.”

Paypal 630x268 [Updated] New round of fraud, phishing appearing on Xbox Live, Paypal accounts

A screenshot of the user's Paypal statement, showing the unauthorized charges

You may remember back in October when a rash of FIFA-related phishing sprung up, with users being charged for $100′s worth of FIFA DLC, whether or not they actually owned the game. We don’t know if this is related, but we’re certain a hacker or group of hackers has found a way to successfully recover multiple Xbox Live accounts to their personal consoles, thus gaining access to some of your financial information, at the very least the ability to rack up charges using your primary payment method.

An early warning sign may be your inability to log in to your Xbox Live account, which happens after an account has been recovered to a different console. However, the new dashboard update allows you to have your account on multiple boxes without it being unplayable. (Thanks for the reminder Ben ~Ed.)

At this point it’s also unclear if this is isolated to Xbox 360 users with Paypal as their main form of payment, or if users with credit cards are also affected.

However, based on the amount of calls being received at the Paypal dispute center, and Microsoft’s speedy acknowledgment of the charges, we strongly recommend that anyone with a Windows LIVE ID immediately change their password to something different, and complex. Use a combination of symbols, numbers, upper-and lowercase letters, and ensure that your hotmail accounts, Xbox Live accounts, and Windows LIVE ID hasn’t been compromised.

We’ve reached out to Microsoft and Paypal for more details, and we’d like to thank Justin for sharing his story with us.

UPDATE 1: As Justin himself pointed out in the comments, the Rift purchase was not his, and is not a purchase that can made through an Xbox console. This points to a definite compromise of his Windows Live ID, so again we urge people to change their passwords immediately.

About Jason Evangelho

Jason is VGW’s founder, publisher, and longtime podcaster, writer, and “solopreneur” who is driven by the classic Jello Biafra quote “Don’t hate the media. Become the media.” You can hear him ranting alongside the VGW Collective in the site’s official podcast, “Unlimited Ammo.”

34 Comments

  • Ceekay
    Dec 26, 2011 @ 10:49 am

    Hacked ? I don’t think so… it’s more likely they gave their personal information because of some Email they got or on some phishing website. That’s what happens in 99,9 % of all the cases when someone got “hacked” .

    Reply
    • Jason Evangelho
      Dec 26, 2011 @ 10:50 am

      19 customers calling paypal in an hour, and Microsoft immediately knowing the problem and not disputing it? I think this is more than personal info being leaked, but I do agree that’s a common cause for account intrusion.

      Reply
    • Andrew
      Dec 29, 2011 @ 9:01 am

      I’ve affected by this, first I knew of it was the Paypal receipts this mornings for two large purchases of Microsoft points which I immediately disputed with PP.

      Just after that I got an email from Microsoft asking me to confirm whether I wanted to change my linked email to one I didn’t recognise which of course I rejected.

      Like BigMastadon and a few other commenters I’d also count myself as fairly clued up when it comes to online security and spotting phishing emails or websites. It’s not as simple as a few gullible folk falling for a scam.

      Reply
  • Sam
    Dec 26, 2011 @ 11:27 am

    This happened to me as well (not the paypal since my Xbox is linked just to my credit card) – but I got hacked for $70 – I called MS and they locked my account for 25 days while they investigate…

    Reply
  • BigMastadon
    Dec 26, 2011 @ 11:41 am

    Ceekay, I can guarantee I didn’t fall victim to any phishing scams. I’m smarter than that and don’t even click on any emails pertaining to “free” or “discounted” offers unless verified by credible sites. Definitely took me by surprise as I hadn’t used my 360 the day before.

    One thing I noticed as I looked at the purchases more. The Rift purchase was a Games for Windows Live purchase.. which can’t be done on the 360.

    Reply
    • Jason Evangelho
      Dec 26, 2011 @ 12:20 pm

      So it sounds like perhaps your Windows LIVE Id was definitely compromised

      Reply
    • Kenn
      Dec 26, 2011 @ 15:21 pm

      This is not the way to spend the holidays. More of a hassle really, unfortunately there are low lifes like this among us. I hope this all gets straightened out for @BIGMASTADON & all other victims. Sounds like Microsoft is on top of it, just hope for it was PAYPAL accounts only & credit card information was left alone, as shitty as that may sound. Also hope to see updates on this soon from MS.

      Reply
  • Sam
    Dec 26, 2011 @ 12:28 pm

    It’s possible, though for me, when I logged into my Xbox that night I received a message that said I was last logged into a different console. So, I had thought it was just on the console.

    Reply
  • fistador
    Dec 26, 2011 @ 20:13 pm

    Same thing happened to me they bought 3000 points with my account :( opened a dispute with paypal and called microsoft they said they would get back to me in 21 days

    Reply
  • John
    Dec 26, 2011 @ 22:08 pm

    Not isolated to people who primarily fund via Paypal. I have never paid via paypal, nor is it tied to my Windows Live ID. It is most certainly an issue of Windows Live IDs being hacked.

    I have never clicked a phishing scam via email or website, so this was doubtfully on MY end.

    Reply
  • John
    Dec 27, 2011 @ 14:58 pm

    Happened to me. called CC and told them it was fraud. Charges dissapeared from xbox account.
    Got hacked again, but had deauthorized that accoubt from making any purchases. aside from changing passwords, any way tp prevent? It’s PITA to have to friend every one again.

    Reply
  • Matthew Lovacheff
    Dec 27, 2011 @ 15:50 pm

    Most likely, people have been able to con the CSR’s into resetting their password and sending the info to a new Windows Live ID. It only takes 5 semi public pieces of info to do this. This happened to me on the 18th and I found out exactly what it takes to recover a password. Anyone can do it. Especially if you keep calling until you build a rapport with a CSR or pull the “I never use my Windows Live ID, I can’t remember what it was!” Line

    Reply
  • Turvs
    Dec 27, 2011 @ 17:33 pm

    This also happened to me and I know better then to click on scams. My password was unique and not related to my life or personal info of any kind.

    Reply
  • Joe
    Dec 28, 2011 @ 8:49 am

    This has happened to me as well. They bought 6000 points and used all my points on a game. It was also charged on my paypal account. Made a claim to microsoft (16 days wait) and paypal (10 days wait).

    Reply
  • matt
    Dec 28, 2011 @ 13:58 pm

    This happened to me as well. 400+ bucks on hold for at least 10 or 16 days. Awesome. I can assure the naysayers that I didn’t give out any Windows Live information.

    For the record,
    Windows Live user and don’t own an XBOX
    Paypal was the funds source.

    Reply
  • Mary J
    Dec 28, 2011 @ 15:03 pm

    My boyfriend is missing $450 due to this.

    Reply
  • Jamie C
    Dec 29, 2011 @ 13:46 pm

    Had a PayPal account linked to my Windows Live account in order to pay for an App Hub subscription. Do not even own an Xbox. The account was bust into earlier today and the linked PayPal account was emptied to pay for Xbox games. As mentioned, this is a toy I don’t even own.

    Once I’d realised the account had been compromised (received an automated email from Microsoft detailing the fact I’d added a second email to my account, when I hadn’t) I changed my password. STILL the points were deduced from my account, long after the thing was locked down. Something fishy going on there.

    In my mind the problem is directly a result of Microsoft funnelling all their subscription payments into one system. It is very likely for the average Windows Live account to have a linked credit card or PayPal account – with or without an Xbox – and that’s why they are targeted.

    Reply
  • anon
    Dec 29, 2011 @ 15:00 pm

    Just been done myself. Saw £17 go but they have taken £34 more in the last 5 mins and can’t cancel my Paypal on XBL until tomorrow morning when MS reopen here in the UK. I’ve stopped auto renew on XBL and cancelled subscriptions to XBL on Paypal so fingers crossed that atleast stops it.

    Reply
  • dogdays
    Dec 30, 2011 @ 14:06 pm

    Found this website through googling, adding that I am another victim. My account was compromised and 2000 points were bought on christmas day. Changed my password on a new machine in case I had been keylogged, and I wake up in the morning to see that they’re back in the account and have bought a futher 7000 points. All payments were very quickly reversed by PayPal so at least I have my money, and my LIVE account is locked down while they investigate.

    I am not a victim of phishing or social engineering as I am savvy enough not to fall for those, and my important data for my account was mostly gibberish. How they’ve done it I don’t know, but anyone who says it’s merely phishing is way off the mark.

    Reply
  • Jan 4, 2012 @ 6:12 am

    Another victim here, and another one who is absolutely sure that it is not through phishing.

    Reply
  • Drakus
    Jan 4, 2012 @ 13:16 pm

    Another here for sure it was not thru phishing or any other thing. No EA account so it has to be thru windows live sign in. Paypal with in hours of my complaint to them of over $300 stopped all the transactions to M$ and my bank was aware of what was going on and immediately stopped all paypal payments with the figures that matched. M$ had to me it will take 28 days to investigate, I said fine. I will be charging them 28 days plus 1.5% interest per day on my monies and 2 days for every 1 day that I am with out my XBL services. It is pretty simple and they can not deny me. Since refunds are immediate (24 hours max). But they never got my money thanks to my bank.

    Reply
  • Cara
    Jan 7, 2012 @ 21:50 pm

    Like many others, 300 dollar went missing from my paypal account. The charges was to microsoft. The account was soon frozen, locked down, or limited. However, paypal called it.

    I do not have a credit card registered, or in this case palpay account, on xbox live, MSN or window live. I do not understand how they got my paypal infomation. Most likely by email like most of these comment said.

    I do not think it is from email but not 100% sure. What I am 100% sure of is I do not have my information with xbox live, MSN or window live. Never had even once.

    All charges has been reversed and everything is fine now.

    I posted this problem online asking many others about it while it happened, all I got is trolls calling me stupid.

    Reply
  • Sean
    Jan 7, 2012 @ 23:39 pm

    This has happened to me as well. A person used $135.00 to purchase MS points through my Paypal account. I never gave out any information. I unauthorized the claims with Paypal and I sent a message to Microsoft. Hopefully Paypal rules it as unauthorized and refunds my money. After I get my money refunded I plan on closing my Paypal account and getting rid of my x-box live account as well just to make sure this never happens again.

    Reply
  • Jason Evangelho
    Jan 7, 2012 @ 23:52 pm

    Clearly ALL of these comments are proof that absolutely nothing is wrong with Windows Live ID/Xbox Live Security. #Sarcasm

    Reply
  • Michael
    Jan 14, 2012 @ 18:12 pm

    Another victim here. $300+ in unauthorized transactions, but luckily I got it back from PayPal (there’s also a separate investigation ongoing with Microsoft).

    This was definitely not a phishing attack, at least not on my end. Malicious software (e.g. keylogger) is also highly unlikely in my case. I think it was a breach in MS security.

    Reply
  • Jan 14, 2012 @ 22:06 pm

    I tried to solve it through online chat support with MS but they were useless. I went through PayPal and they closed it returning my money in just over 24h, well done.

    Reply
  • Jared Bork
    Jan 29, 2012 @ 16:30 pm

    Same shit happened to me, 135$ in microsoft point bundles through my paypal linked to my gamertag. also another email they linked to it “yt111y@126.com”

    Reply
    • Jared Bork
      Jan 29, 2012 @ 16:31 pm

      Needless to say I’m done with Microsofts services. I don’t even use my xbox.

      Reply
      • Jared Bork
        Jan 29, 2012 @ 16:33 pm

        Oh wait, theres more; 271$ total on just points.

        Reply
  • Ouroborous implosive charge
    Feb 1, 2012 @ 18:54 pm

    Just had more than 6000ms points lifted from me by these hacking @sshole$. Caught them in the act just 2 hours after they accessed – they even tried logging in whilst I was resetting my passwords, back for more obviously – had an awesome game of tennis “gamertag has logged in on other console” back and forth for 3 mins. I re-downloaded my profile with new password to be sure, and activated ‘password required on all other consoles’ option, along with 4-button controller password to boot. Crack that you thieving scum. Also deleted my card details from xbox live (after switching xbox membership payment to paypal option), and blocked any more transactions thru paypal via paypal directly. Unauthorised transaction logged with paypal.

    Clearly multiple usage of single passwords on various websites is to blame, possible I’ve used same password with EA account for fight night (will absolutely not trust EA again, lesson learned). What I want to know is why spend all those points on dlc for FIFA12?? What a crap pointless game, you d1ckbrain hackers could at least spend it on something I might want on my account whilst you were ‘borrowing’ it.

    Dirty thieves – never mind sopa, pipa or acta, these are the real thieves government legislation needs to be chasing! Xbox live accounts today, could be bank accounts and credit card accounts tomorrow – ironically this is just the situation where tracing an ip address might actually be useful. Forget about tracing casual downloaders – tracing actual thieves, I’d pay for that. Maybe not over a measly 6000ms points, but for like 4 or 5 times that amount? Wouldn’t you want to go round their house and stove their face in…? I mean, stove their xbox/computer in…

    Reply
  • stephanie
    Feb 13, 2012 @ 15:47 pm

    same shit happened to me. I was charged at about 9am this morning while i was still sleeping, and saw email of charges and an email added to my account: yt111y@126.com. I was like wtf? looked through more e-mails, paypal had already refunded my account back at around 11am. I have my money back and all, but wtf is going on?! My paypal password is very secure and i have never used it for any other site or usernames. I recently changed accounts to the family pack and linked my paypal to xbox, thinking that thats how i was charged for 6000 microsoft points, but this is stupid. We pay for xbox live.. Isn’t this so that stuff like this doesnt happen?!

    Reply
  • Apr 21, 2012 @ 16:44 pm

    Just had it happen to me as well, I have a gmail account and my paypal was associated with the xbox account. I’ve been gaming for years / am a designer and developer for 10 years, and I definitely was not social engineered or phished, so I don’t have any idea why Microsoft is claiming this bullshit. I was charged around 150 dollars and I’m pissed.

    Reply

Leave a comment