A new round of phishing attacks and unauthorized Paypal charges is affecting Xbox 360 users this morning, and one of our readers has offered to share his story with the hope that others can prevent the situation from happening to them.
This morning, when @BigMastadon woke up, he noticed $241 of unauthorized charges to his Paypal account, which is linked as a form of payment to his Xbox Live account. Immediately he called Paypal to dispute the charges, and tells us “the rep at Paypal said he’s received 19 calls today within an hour” regarding the same issue. In an email to VGW, he recounted his phone call on the Microsoft side of the fence:
When I spoke with the Microsoft agent, he noticed the charges and didn’t even question me about them. Immediately he recognized the fraud and sent it on to the investigation team. He described the situation as someone recovering the account and purchasing all the Microsoft Points shown. Then they purchase the Gold Family pack so they can transfer the points to another Gamertag on their console.”
You may remember back in October when a rash of FIFA-related phishing sprung up, with users being charged for $100′s worth of FIFA DLC, whether or not they actually owned the game. We don’t know if this is related, but we’re certain a hacker or group of hackers has found a way to successfully recover multiple Xbox Live accounts to their personal consoles, thus gaining access to some of your financial information, at the very least the ability to rack up charges using your primary payment method.
An early warning sign may be your inability to log in to your Xbox Live account, which happens after an account has been recovered to a different console. However, the new dashboard update allows you to have your account on multiple boxes without it being unplayable. (Thanks for the reminder Ben ~Ed.)
At this point it’s also unclear if this is isolated to Xbox 360 users with Paypal as their main form of payment, or if users with credit cards are also affected.
However, based on the amount of calls being received at the Paypal dispute center, and Microsoft’s speedy acknowledgment of the charges, we strongly recommend that anyone with a Windows LIVE ID immediately change their password to something different, and complex. Use a combination of symbols, numbers, upper-and lowercase letters, and ensure that your hotmail accounts, Xbox Live accounts, and Windows LIVE ID hasn’t been compromised.
We’ve reached out to Microsoft and Paypal for more details, and we’d like to thank Justin for sharing his story with us.
UPDATE 1: As Justin himself pointed out in the comments, the Rift purchase was not his, and is not a purchase that can made through an Xbox console. This points to a definite compromise of his Windows Live ID, so again we urge people to change their passwords immediately.