It's for several months now that a small part of Xbox Live users complain their theft problems, account purchases you made with points credit cards or disappearance of Microsoft Points. Initially it was thought that these incidents were linked to FIFA 12 because many users affected were also players of EA title, but then gradually this hypothesis it is dissipated when users do not belong to that group have the same problems risocntrato. Then what is really?

Microsoft has so far officially declared that such problems are attributable to phishing attacks against users, i.e. sending fraudulent emails that appear to come from Microsoft and asking users to log in to Xbox.com entering username and password: users would actually diverted on identical sites to the Microsoft site but that store in a db inside the username and password provided, a bit like the case of the fake Atm scams that you hear in the news occasionally.

The site however AnalogHype released today the results of the research network systems engineer Jason Coutee, who suffered first-hand the intrusion into their Live account. Coutee declares to have figured out how hackers can steal other people's accounts: here's how it could be everything.

The first move to a hacker who wants to take over an account Live would locate the Live ID associated with that gamertag information, often through public forums or other sites because players use Exchange email or talk on MSN using the same account. Once this is done, hackers seek to find the password of this account by using a trivial brute force system: with a script would try to send to the login page of Xbox.com one after another all passwords to a common password list, in the hope that the user has used one of these. Typically, sites block such attacks after a number of failed attempts and Xbox.com does after bad password 8, proposing the insertion of Captcha code, but Coutee explains that in this case is also a page link "test with another account" which effectively resets the Captcha and allows the script to continue to try other password.

If the script fails to find the correct password then hackers can enter the user's Live profile, purchase Microsoft Points, change gamertag and email and sell it to unsuspecting buyers, or leave the account intact but transfer the Microsoft Points to other account using the mechanism of sub accounts for family members. Obviously once made such activity and automatically replicated on hundreds or thousands of Live accounts on the network have been found, this could provide hackers a number of successes to ensure good profits.

For now we don't know if this is actually the system used by hackers, and it is good to note that such a mechanism would succeed only if the password used for the Live account is not safe enough. In any case, our advice is to always use strong passwords and not very predictable, that contain at least 8 characters and combinations of capitalization and numbers, in addition to not click on email invite to provide username and password though seem to come from Microsoft. We'll keep you updated on any developments in this matter.