CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Boy and father playing games showing account takeover via phishing and social engineering
Cyber SecurityNews
·3 min read

EA Confirms Account Takeover Attacks Compromising High-Profile Gamers via Phishing and Social Engineering Attacks

Alicia Hope·January 20, 2022
TwitterFacebookLinkedIn

Electronic Arts (EA) confirmed that attackers used phishing and social engineering tactics to execute account takeover attacks against high-profile FIFA Ultimate Team (FUT) gamers.

In a statement posted on its website, EA disclosed that fewer than 50 accounts have been compromised via phishing techniques and employee mistakes. However, reports of lower-ranking hacked FIFA 22 accounts have also surfaced online, suggesting that the number of account takeovers via phishing could be much higher than EA has admitted.

Subsequently, EA adopted stringent account verification measures to protect accounts from illegal takeovers. The company also promised to contact affected gamers and restore the accounts to their legitimate owners.

At least two high-profile victims reported on social media alleged identity theft originating from the EA breach. One victim has considered suing the company.

Attackers bypassed two-factor authentication through phishing social engineering techniques

EA confirmed that attackers used phishing and other social engineering techniques to bypass the account verification process and compromise high-profile accounts.

“Utilizing threats and other “social engineering” methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts,” EA wrote.

According to Javvad Malik, a security awareness advocate at KnowBe4, social engineering attacks are the worst attacks against organizations and individuals. He recommended using strong and unique passwords and activating multi-factor authentication (MFA) to defeat phishing attacks.

“However, even with these technical controls, it is still possible that an account can be compromised through social engineering.”

Eurogamer first reported the account takeover attacks after realizing that several accounts had been stripped of FIFA points and coins. The attackers reportedly used Gamertags from FIFA leaderboards to convince EA staff that they were the legitimate owners.

Additionally, EA account service representatives allegedly revealed the account email addresses associated with the Gamertags, reset the passwords, thus allowing the attackers to complete the account takeover process.

EA implements stringent security measures to protect players from account takeover attacks

EA acknowledged that human factor was a risk element in account security, and admitted that it could try harder to protect user accounts from social engineering attacks.

“Hackers prey on human vulnerabilities and, in this case, have capitalized on the fact that customer service teams are under considerable pressure to deliver a good customer experience and help people with their queries as quickly as possible,” said James Alliband, Senior Manager Product Strategy at Tessian.

EA is implementing additional steps to the account management process and reinforcing account security practices to protect its users from account takeover attacks.

All workers at the service of EA accounts will receive individualized re-training and additional team training with a specific emphasis on account security best practices and defending against social engineering attacks such as phishing.

Malik highlighted the importance of user cybersecurity training in protecting accounts from phishing and other social engineering attacks.

“Whether that be through an organization rolling out a security awareness and training program, or be it through useful on-screen hints and tips on consumers login pages reminding them to not share personal details or login codes with others, and to be wary of emails claiming to be from the organization,” said Malik.

Additionally, EA introduced additional requirements to the account ownership verification process, such as mandatory managerial approvals for sensitive changes like email change requests.

The company will also update its customer experience software to identify suspicious activity, flag at-risk accounts, and eliminate the potential for human error in the account update process.

EA warned that the new security measures would affect its users’ customer experience. However, many FIFA gaming fans on Reddit were less critical of the proposed security changes, considering they would protect them from account takeover attacks.

Additionally, EA also promised to examine every claim of suspicious email change and reported account.

“This is a good opportunity for EA to review their policies on such high-profile attacks to understand the user and ask them out-of-the-box questions about their activity that would be much harder to find out,” Alliband added. “Also utilizing voice ID, biometrics, SMS authentication, and alternative email authentication can be a great way to make bad actors’ lives a little more difficult and add another layer of security measures for organizations when users are contacting customer support.”

EA account service representatives allegedly revealed the account email addresses associated with the Gamertags, reset the passwords, thus allowing the #hackers to complete the #accounttakeover process. #cybersecurity #respectdataClick to Tweet

However, some FUT gamers were apprehensive of the repercussions of the account takeovers. NickRTFM tweeted that someone tried to apply for a credit card using his details. Similarly, FUT Donkey complained that the victims had not received any communication from the company. The ranking gamer also threatened to sue the company for allegedly violating data protection laws, and claimed that one of the attackers used his leaked account details to register on various websites, such as IMDB, Quora, Blockchain.com, Pornhub, and XVideos.

 

TwitterFacebookLinkedIn
Tags
Account TakeoverPhishingSocial Engineering
Alicia Hope
Staff Correspondent at CPO Magazine
Alicia Hope has been a journalist for more than 5 years, reporting on technology, cyber security and data privacy news.
Related
Hacker using mobile smartphone calling victim showing remote monitoring and management software used in phishing of federal agencies
Cyber SecurityNews

Hackers Breached Multiple Federal Agencies via Remote Monitoring and Management Software

February 2, 2023
Hacker working on computer showing search engine ads used for malware and phishing
Cyber SecurityNews

FBI: Hackers Are Using Search Engine Ads for Phishing and Malware Distribution

January 6, 2023
Hacker holding USB flash drive showing endpoint management and social engineering
Cyber SecurityInsights

BadUSB: A Growing Cybersecurity Threat

December 19, 2022
Army of bots showing eCommerce retailers and account takeover, DDoS and API attacks
Cyber SecurityNews

62% of Security Incidents on eCommerce Retailers Originate from Bots, Including Account Takeover, DDoS and API Attacks

November 11, 2022
Close up of young man hand using smart phone at night showing social engineering on social media
Cyber SecurityInsights

Why Social Media Is a Weak Spot for Companies’ Cybersecurity

September 26, 2022
Uber logo branded car on the street showing cybersecurity incident and network breach via social engineering
Cyber SecurityNews

Major Cybersecurity Incident at Uber: Network Breach Began With Social Engineering by Teenage Culprit, Sensitive Information Stored in Plaintext

September 19, 2022
Logo of TikTok in the reflection of a broken mirror showing TikTok hack and account takeover
Cyber SecurityNews

“One-Click” TikTok Hack Discovered That Put 2 Billion App Users at Risk, but No Reports Yet of Account Takeover in the Wild

September 8, 2022
Senior business man using mobile phone showing whaling attacks
Cyber SecurityInsights

How High-Level Employees Can Defend Against Cybersecurity Whaling Attacks

July 15, 2022

Latest

Vehicles in motion on busy motorway showing digital license plates to track vehicles

Digital License Plates: Will This New Way to Track Vehicles Enhance or Undermine Privacy?

Bank of England building showing UK financial regulator stress test report on cyber insurance

UK Financial Regulator: Country’s Cyber Insurance Providers Lack Consistency in Risk Assessments, Modeling Capability

Financial charts showing LockBit ransomware attack impact on derivative trading

ION Group Ransomware Attack Impacts Derivative Trading in Global Markets

Electric system of car engine showing quantum computing impact on automotive cybersecurity

How Quantum Computing Could Affect the Automotive Landscape

- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Stay Updated

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Insights
News
Resources

Stay Updated

© 2023 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    U.S. Data Breach Regulations EU GDPR Facebook
    See all results