I got a Live message from one of my friends last night asking me to visit http://xbox-profile.com/CyberKnight so I can claim my social networking account that they had supposedly set up for me. It encouraged me to do this "quickly", before someone else claimed my name.
I decided to check it out. As a quick trip to Google will show, my gamertag isn't the most unique word on the net, so there was some incentive to checking it out before someone tried claiming my name. When I visited the site, it redirected me to a page on Playfire.com that asked me to confirm my ownership of the gamertag by entering my Live ID and password in a simple web form.
The only form that gets that information is one that submits to Live.com.
Tonight, I noticed that I got four more messages from other friends that all say the same exact thing. It sounds like this phishing scam is getting a few bites.
I hope for the sake of my friends that this site is doing exactly what it's claiming — verifying ownership of the gamertag — and nothing more. But I've sent my friends a message (and am posting this on my blog as a "public service") encouraging them to change their Live account password as soon as possible, just in case. This can be done by logging on to http://login.live.com.
If Playfire.com stores that information, they could use it to take control of the gamertag, plus any and all associated Hotmail, Messenger, or other Live service accounts. And of course if there are any credit cards associated with that ID (such as would happen if you buy Points or renew a Live or Zune Pass subscription online), then the new owner could use that information to make more purchases.
It's already apparent that they use your login information to access your friends list and send out messages on your behalf to your friends to come and sign up. And if the apology messages from my friends are any indication, this happens without the explicit knowledge or authorization of the account holder.
I tried connecting to Playfire.com today to get more details for this blog post, but the entire site appears to be down. It certainly seems more suspicious.