Spammers Hijack Microsoft’s SkyDrive Service

Microsoft’s Windows Live SkyDrive, an online storage service for sharing files and links it launched in beta this past August, became a repository for spammers to host links to their electronic junk mail.

McAfee’s Avert Labs was first to point it out in an alert. Within a day, Microsoft gave the e-pests the e-boot, but not before the spammers uploaded “tens of thousands” of files to the service, according to Avert.

“Services like Windows Live Skydrive are attractive to spammers for a number of reasons,” said Chris Barton, lead antispam researcher at McAfee Avert Labs, in a mass e-mailing to journalists. “These services are free, provide unique, long-lasting Web links, host almost any kind of file and are relatively safe from blacklisting.”

In a statement, Microsoft said it is investigating the claims. “Should we determine that the service is being used improperly, we will take the appropriate steps to maintain the integrity of Windows Live SkyDrive beta,” the company said. Avert said the spammers were shut off after 24 hours of peddling an online pharmacy.

Normally spammers use compromised servers in foreign countries or botnet-infected  computers, but the use of reputable sites is growing. Dave Marcus, a security research manager at Avert Labs, said it was likely a case of security being overlooked in the development process.

“In the past, online storage has been abused many times and going forward it will continue to be abused,” he told “This was a beta solution for a limited group of people and they didn’t deploy it in a secure enough fashion. It just goes to show you if you are going to put it online, you gotta secure stuff as it’s going up, you gotta filter it as it’s going in and you gotta scan the data as it’s going out.”

Microsoft would hardly be the first company to be careless with its security. Just last month, the professional social networking site LinkedIn had an open redirect port that anyone could use. With the port it was possible to make a link that looked like it would send you to Yahoo, Google or some other reputable site but actually redirect you somewhere else. A security researcher with ESET Software who found the open port spent four frustrating days trying to reach someone at LinkedIn who could actually close it.

Marcus said firms are still not putting security at the forefront. “Unfortunately, a lot of people have not operationalized security. They still think about it as an afterthought or add-on. That’s an issue that will plague computers for years. It shouldn’t be something you think of after you’ve gone through QA. It needs to be factored in during architecture,” he said.

News Around the Web