Posted by Tim Cranton 
Associate General Counsel, Internet Safety Enforcement

Have you ever received an instant message that prompts you to click on a mysterious link?  Or been asked to share your IM account information, only to have it used to spam all of your friends?

Such instant messaging spam, or “spim,” can take the fun -- and utility -- out of instant messaging.   And cybercriminals know that for many Internet users, the threat of spim is not yet widely understood.  Spim is more than just an annoyance.  It’s a serious threat to online privacy and security.  Spim campaigns that employ phishing tactics to get your account information can put all the personal information associated with your account at risk.

A few weeks ago, I talked with you about Microsoft’s enforcement efforts to help promote Internet safetyfor consumers, advertisers and the industry at large.  Today, as part of our ongoing commitment to online safety, Microsoft is taking additional legal action to help protect our customers against IM spim and account phishing. 

 

Earlier this morning, Microsoft filed a civil lawsuit in King County  Superior Court in Seattle (“Microsoft Corporation v. Funmobile, et. al.” case number  09-2-21247-3) that alleges Funmobile Ltd. has  conducted  a significant campaign to undermine the privacy of Windows Live Messenger customer accounts and to “spim” our customers’ contacts.  We originally filed the case in June as a “John Doe” complaint that did not identify specific defendants.  As part of today’s action, we are asking the court to grant an injunction to help stop this activity immediately to protect our customers.  We are also seeking to recover monetary damages.  Above all, we hope the lawsuit will send  a clear message to all potential perpetrators that this kind of activity is not tolerated on our networks. 

As outlined in the complaint, Microsoft alleges that Funmobile Ltd., a Hong Kong-based company owned by brothers Christian and Henrick Heilesen, has spimmed thousands of Windows Live Messenger customers since March 2009.  The scheme is alleged to target customers with IMs that appear to come from the e-mail address of a known friend or acquaintance, and invite the recipient  to click on a link

Customers who clicked on the link in the bogus instant messages sent by Funmobile were then “phished”— that is, asked for their IM username and password to log in, according to the complaint. Those who provided the log-in information were often redirected to an adult Web site or, in some cases, a site that claimed to be a social networking community for Windows Live Messenger users.

Meanwhile, we allege, the defendants collected the wrongfully-obtained usernames and passwords and used them to access Microsoft’s proprietary systems and our customers’ accounts.   They then “scraped” or “harvested” the contacts within each user’s account, and sent unsolicited bulk IMs to each of his or her contacts. 

Such abuse of the Windows Live Messenger service harms Microsoft and our customers by burdening Microsoft’s computers and computer systems with spim traffic, interfering with users’ enjoyment of our services and invading the privacy of our users.   Our customers should be in control of their information, and shouldn’t be provoked into divulging their personal account credentials for third party services.    This kind of activity isn’t just a violation of our terms of service for Windows Live, it’s a violation of our customers’ privacy.  For this reason, Microsoft strongly advises our customers to only use their Windows Live login information for the purposes of logging in themselves and to never disclose their Windows Live ID and password to a third party other than Microsoft, regardless of the potential usefulness of the “service” that is offered in exchange.  

Windows Live is a great platform for third party development, and we provide a multitude of resources to enable companies and individuals to develop legitimate companion services that enhance our customers’ experiences online while still protecting their privacy and their personal data.   Phishing, spim and account harvesting are not legitimate means of interacting with Windows Live.  This kind of activity crosses the line from legitimate third party services to “parasiteware” that harms our customers.

Microsoft is vigilant about using both technology and the law to fight illegal activity online.   I lead a dedicated team that works to uncover schemes like this one, track down the perpetrators and, if necessary, build legal cases against them. As this work continues we will keep you updated on how we are finding, and fighting, cybercrime in all its forms.

In the meantime, if you’re interested in learning more about this issue, the Windows Live team has also posted some thoughts on its blog

And for more information about staying safe online, please visit http://www.microsoft.com/protect.