Skype attack threatens 300 million users: How to protect yourself

Skype
(Image credit: LightRocket/Getty Images)

A new phishing campaign aimed at Skype users is especially convincing -- it already knows your name and where you work.

The attack arrives in the form of an email alerting you that you have several Skype notifications and need to click a "review" button. Click on that button, say researchers at Cofense, and you're taken to a phony Skype login page. 

The fake Skype page has the ".app" web-address suffix and is secured with HTTPS to lend it a bit of false legitimacy. (The .app top-level domain is managed by Google and used by software developers.)

The crooks are pretty slick. Because the link in the email message has a unique identifier, you'll see your own name already filled into the very real-looking login box, and your company's logo may be in there as well. 

There's even a notice stating that "the system is for the use of authorized users" of your company only and that "unlawful users will be prosecuted."

If you take that easy, final step of entering your password, then it becomes the hackers' password, and your Skype account becomes their account. If you've used that same username and password on other accounts, then the bad guys probably will grab those too. (It's a very bad idea to reuse passwords.)

You may be wondering how the attackers would already know your name, your email address and where you work. The most obvious answer is that they scoured LinkedIn (like Skype, a Microsoft subsidiary) for some of that information, but to be fair, many companies have a very helpful "who we are" page.

How to avoid being suckered by this Skype scam

If you're one of the 300 million monthly users on Skype, here's what you need to know to protect yourself. The only tipoff that this login page is fake is its URL, or website address. In the example Confense provided, it was "skype-online0345.web.app," but any real Skype page would have an address ending with "skype.com." 

In the web addressing scheme, the parts of the URL right before ".com", ".net" or ".edu" count the most, so just having "skype" somewhere in the URL doesn't mean it's real.

If you do fall for this phishing scheme, or one just like it, you should change your Skype password right away, and also change the password on any other site where you used the same one. 

Make sure your password is strong and unique, and don't reuse passwords. One of the best password managers will help a lot.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.