For some weeks, Skype users have been complaining on online forums that their accounts have been sending out spoof messages without their permission.
Typically, users report that the messages use a Goo.gl URL shortener and are sent to all of their online contacts:
According to reports, some of the links might redirect to Russian domains hosting malicious code designed to infect visiting computers.
So far, and there have been over 20 pages of discussion of the issue on the Skype community pages, Microsoft doesn’t appear to have come up with a solution to the problem – and there are no definitive conclusions as to how the messages are being sent.
One possibility is that malware has infected users’ computers, and is sending the messages without the permission of the account owners.
However, this theory seems less likely as some users have reported that the unauthorised messages have been sent even though their computers and mobile devices are turned off at the time.
Potentially the spoof messages might also have be sent due to a vulnerability in Skype’s web-based client that the spammers are exploiting.
Alternatively, it’s possible that Skype users have had their account passwords compromised – perhaps via phishing attacks, or because victims are using the same passwords elsewhere on the net.
Frankly, we don’t know yet how the fraudsters are sending the messages – but sending them they are… and Skype users aren’t happy, judging by posts on the support forum:
I’ve been having the same issue for the last two weeks or so!
I am now having to explain to people that it’s not me sending them!!!
I’ve changed my password, so I’m hoping that will help, but I’ve also sent a support request to Skype to resolve the issue (no reply yet).
DO SOMETHING ABOUT THIS QUICKLY SKYPE, STOP IGNORING THE ISSUE!!!!!!!!!
My laptop was completely shut down and packed in my bag when messages went out to all my contacts.
Have also checked API as suggested but nothing suspicious there
I have Skype on my iPhone as well. Have temporarily removed the app for the sake of good order. I suspect it is Skype’s servers that were compromised — would be nice if they could shed some light on the issue….
Very embarrassing to have spam sent to hundreds of business contacts. Makes me consider to switch away from Skype.
For now, Microsoft is suggesting that customers change the passwords for all of their Skype-related accounts.
Skype community manager Claudius is the only official response I have been able to find:
Our engineers are still looking into this.
Meanwhile we’d recommend everyone to change their account passwords for all your Skype related accounts, i.e. also update your Microsoft account password if you linked that to your Skype account. Here’s how: https://support.skype.com/en/faq/FA95/how-do-i-change-my-password
Whether following that advice will prevent the spate of spoofed Skype messages remains to be seen…
Hat-tip: The Register
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.