“SkypeSkrayping” with CSRF

 

 

 

In a nutshell, we have discovered methods that give an attacker a window of opportunity to make remote requests to Skype subscribers who are logged in to their web accounts.  At the time of this entry’s publication, there were more than 15 million users online.  If only 1% of the victims responded to the phisher’s Skype instant messages, the phisher could take over 150,000 Skype accounts.  

 

The simplest technique is similar to a phishing attack, only a bit more interactive:

 

[SkypeSkrayper: Hello, I apologize for the disruption, but this is a friendly reminder that Skype is having a special today. We are offering $25.00 extra credit in your SkypeOut account if you do “X”. We will never ask you for your username or password over Skype Instant Messaging.

 

Victim: OK!]

 

 

 

That “X” can detail many things but only requires the user to have logged into their web-based Skype account within a 30 minute time frame and then possibly view another site, which can optionally be trusted or not depending on the security of that site.

 

 

 

This specific 30 minutes of time enables an opportunity for the attacker to do something clever like this:

 

 

 

[SkypeSkrayper2: Hello, were you just contacted by someone promising 25.00 extra credit. This is the Skype Fraud Detection (SFD) department; we believe that your computer may be infected.  We need you to go to this site to check for and eliminate the infection (X-Fake-Security-Site).  As this is Skype-specific, anti-virus software cannot eliminate this threat.  Note: the SFD will never request your Skype password.

Victim: OK!]

 

 

 

Note: the phisher never needs to ask for the Skype username or password.

 

 

 

This is where the maliciousness transpires.  Using either an inline frame (“iframe”) or image (“img”) tag, attackers could execute the following:

 

 

Ø  Add a Specific Call Forwarding Number

 

o   Grants attacker ability to receive the victim’s incoming calls

 

Ø  Obtain a Skype-To-Go Number

 

o Grants attacker ability to access victim’s voicemail, speed dial, and outbound calling via Spoofed Caller-ID

 

Phishers could trivially utilize these vulnerabilities to steal Skype numbers.  They could use these to pose as legitimate financial institutions, using these as inbound phone numbers, or to proxy their own outbound fraudulent calls through SkypeSkrayped accounts.

 

 

 

Examples

 

 

 

http://www.securescience.net/xss/skype/skype1.html - CSRF demonstrates hijacking of incoming Skype calls. Please note you must be logged into your skype account for this example to work.

 

 

 

Tomorrow we will continue the Example for obtaining a Skype-To-Go Number demonstrating outbound call capabilities from a hijacked account.