Videogames: August 2009 Archives

Today we're going to look at a malicious program that seems to take its cue from the Facebook Freezers I've written about previously. In those cases, the aim is to get a Facebook account banned by repeatedly entering an incorrect password into the login form. Here, the intent is to make using your XBox the most annoying thing in the world.

Here is the program in question:


Don't be fooled by the whole "friend" thing. This is not your friend. Or at least, it isn't if it's pointing directly at you. Assuming the attacker fires it up - and they're not going to leave it sitting on the desktop doing nothing - this is what they'll see:


"Friend request spammer"? This isn't going to end well, is it? Sure enough, simply type in the name of the XBox Live user you want to target on the left, login to XBox Live with your own account using the button on the right and you can begin your mischief. We should see what some of those other buttons do first, though - let's check out the Avatar and Gamercard buttons. In any other program, these might be handy features - but given the "spam attack" nature of this executable it all takes on a slightly creepy stalkerish vibe.

With the Avatar Searcher, you can call up an image that the target uses as their Avatar on XBox Live, additionally giving you the ability to save said images.

Why would you do want to save these images? Who knows. Perhaps printing them out and pinning them to your wall, serial killer style is all the rage these days.

Avatar Searcher, originally uploaded by Paperghost.

The Gamercard Searcher performs a similarly creepy function, grabbing a list of your most recently played games and your gamerscore. Perhaps the potential spammer really wants to cackle with glee over every aspect of your gaming life before trying to ruin it.

Gamercard Searcher, originally uploaded by Paperghost.

Anyway, let's get to the reason we're all here - spamming. And lots of it.

Assuming the attacker knows your Gamertag, once they hit the "Spam" button, as long as your XBox is online you'll see a friend request appear at the bottom of your TV screen:

Rapidfire Spam Requests, originally uploaded by Paperghost.

Imagine your dismay, then, when it turns out the attacker has gone out for coffee, a hot date and a night on the town leaving the Friend Spammer switched on. It's not long before your mailbox notifier is repeatedly telling you that something is going horribly wrong:

My inbox, it's under fire, originally uploaded by Paperghost.

8 friend requests from the same person in about 30 seconds. Before the first minute is up, your XBox Live mailbox looks like this:

16 messages in under a minute, originally uploaded by Paperghost.

While it's somewhat touching that this person wants to be your friend so badly, it isn't doing your sanity - or your connection - much good. Based on comments we're seeing on numerous Youtube vids & hacking forums related to this program, the effects range from lag to the XBox dashboard slowing to a crawl or crashing altogether (mine didn't crash, for the record although it did become a little jerky when navigating menus). Additionally, some people report not being able to block communications with the spammers due to this happening when they try to do it:



Going into "Block Communications" will stop the messages from the user sending them to you (as long as you don't get the above error message) but one popular tactic seems to be queuing up multiple spam accounts in Virtual Machines then hitting you with a never ending series of spam messages. It seems setting your status to "Away" will also block these unwanted messages wholesale, so you might want to try that.

Hands up who else preferred it when gaming was just about shooting things in the face?

Finding dumps of stolen logins is a common occurrence round this neck of the woods; if it isn't a bunch of XBox logins, it's 5000+ EBay / Paypal accounts. Well, here we have roughly 86 Windows Live ID accounts taken without permission, via a phishing page.

Windows Live IDs can be used to access everything from Hotmail and MSN to XBox Live and Zune. Grab a Live ID, and the amount of ways you can ruin someones day increases in spectacular fashion.

In this case, the target was XBox Live gamers, by way of a fake "Get Microsoft points for free" phish.

What I found particularly interesting here is that the collected data reveals the (borderline desperate) greed on the part of the victims - allow me to explain. Many of the most popular XBox phishes involve the site creator pretending to be an ex Microsoft employee, who just so happens to have a magical way to create "free" Microsoft points (which otherwise cost money, and are used for digital videogame transactions and Zune marketplace purchases).

Here's a typical example of said fakery:


There's normally a dropdown box (bottom right), asking the victim to select a fictional amount of points while they throw away their login details. More often than not this information isn't included in the phish dump, because the phisher couldn't care less how many points the victim is after. This is what you normally end up with:

Click to Enlarge you can see, nothing more than the Live ID, the password and the date.

Here, however, each stolen account in the data dump looks like this:

Logged IP address: xx.xx.xx.x0 - Date logged: Monday 20th 2009 of July 2009 09:17:27 PM

For some unknown reason, the phisher decided to log the points the victim tried to obtain for free. This means we can gather up some data about the level of frenzied button mashing the victim goes through over a period of days.

Days? You bet. More on that later - for now, let's take a quick look at the amount of points the victims were dying to get their hands on. The stolen logins have been in circulation on forums for a while, and based on comments we've seen all of them have either been locked down or leeched but we've notified Microsoft anyway. All of the below were phished between Monday the 20th of July and Tuesday the 28th:

500 MS Points ($6.25 / 4.25 GBP) - 17 requests
1000 MS Points ($12.50 / 8.50 GBP) - 8 requests
2500 MS Points ($31.24 / 21.25 GBP) -  8 requests
5000 MS Points ($62.48 / 42.50 GBP) - 23 requests
10000 MS Points ($124.95 / 85.00 GBP) - 10 requests
20000 MS Points ($249.90 / 170.00 GBP) - 92 requests

In total, there were 167 attempts to get free points, with 9 misfires (which means the victim didn't pick an amount on the dropdown box, resulting in a "-Select-" left in the relevant data field). Roughly 86 individual Live IDs were phished, and the rest of the 167 attempts were repeated requests for points from the same handful of people - sometimes stretching over the full timespan from Monday 20th July to Tuesday the 28th.

One person made 24 requests over the eight days (at one stage making eleven requests for points in three minutes!), with 17 tries for the maximum amount of 20,000 MS points. That works out at 340,000 points not including his smaller requests, which means this person attempted to collect over FOUR THOUSAND DOLLARS worth of digital downloads for nothing.


In fact, he's still trying to get free points on the 28th despite not having actually received anything from the moment he tried way back on the 20th. The phisher who collected these logins deserves nothing but scorn; however, it's increasingly difficult to feel any sympathy whatsoever for some of the people caught up in the above data log.

Is the only real solution to throw both phisher and victim into a bear pit, filled with angry bears who themselves hold an irrational hatred of both bear pits and bear pit trespassers?

Why yes. Yes it is.
A common warning in relation to many phishing attacks is "Look for the .com in the URL, because that's the official site domain - if you see that you know it's the real thing".

All well and good, but sometimes people find a way to place a ".com" in there anyway.

Here's a fake phishing page - note the URL:

Click to Enlarge

Amazingly enough, it's

The problem here is that we're so conditioned in relation to "Look for the .com" that many people will see this domain and think, well, it HAS to be legit - completely disregarding the "" part that comes after it.

Unfortunately, it isn't real in the slightest. How did they get the above domain to look the way it does? Well, a .tp domain is the top level domain for East Timor. You can't actually get them anymore (due to it being replaced by .tl), but you can get various subdomains through resellers. A quick jump over to, and....


....whoops. Of course, the fact that the fake site is promoting a "4th of July giveaway" would hopefully make people stop and think that all is not right here, but that's not an assumption I'd be comfortable in making.

Looking out for ".com" in a domain is indeed useful - but only if you pay attention to what comes after it.


About this Archive

This page is a archive of entries in the Videogames category from August 2009.

Videogames: July 2009 is the previous archive.

Videogames: September 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.