Electronic Arts (EA) confirmed that attackers used phishing and social engineering tactics to execute account takeover attacks against high-profile FIFA Ultimate Team (FUT) gamers.
In a statement posted on its website, EA disclosed that fewer than 50 accounts have been compromised via phishing techniques and employee mistakes. However, reports of lower-ranking hacked FIFA 22 accounts have also surfaced online, suggesting that the number of account takeovers via phishing could be much higher than EA has admitted.
Subsequently, EA adopted stringent account verification measures to protect accounts from illegal takeovers. The company also promised to contact affected gamers and restore the accounts to their legitimate owners.
At least two high-profile victims reported on social media alleged identity theft originating from the EA breach. One victim has considered suing the company.
Attackers bypassed two-factor authentication through phishing social engineering techniques
EA confirmed that attackers used phishing and other social engineering techniques to bypass the account verification process and compromise high-profile accounts.
“Utilizing threats and other “social engineering” methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts,” EA wrote.
According to Javvad Malik, a security awareness advocate at KnowBe4, social engineering attacks are the worst attacks against organizations and individuals. He recommended using strong and unique passwords and activating multi-factor authentication (MFA) to defeat phishing attacks.
“However, even with these technical controls, it is still possible that an account can be compromised through social engineering.”
Eurogamer first reported the account takeover attacks after realizing that several accounts had been stripped of FIFA points and coins. The attackers reportedly used Gamertags from FIFA leaderboards to convince EA staff that they were the legitimate owners.
Additionally, EA account service representatives allegedly revealed the account email addresses associated with the Gamertags, reset the passwords, thus allowing the attackers to complete the account takeover process.
EA implements stringent security measures to protect players from account takeover attacks
EA acknowledged that human factor was a risk element in account security, and admitted that it could try harder to protect user accounts from social engineering attacks.
“Hackers prey on human vulnerabilities and, in this case, have capitalized on the fact that customer service teams are under considerable pressure to deliver a good customer experience and help people with their queries as quickly as possible,” said James Alliband, Senior Manager Product Strategy at Tessian.
EA is implementing additional steps to the account management process and reinforcing account security practices to protect its users from account takeover attacks.
All workers at the service of EA accounts will receive individualized re-training and additional team training with a specific emphasis on account security best practices and defending against social engineering attacks such as phishing.
Malik highlighted the importance of user cybersecurity training in protecting accounts from phishing and other social engineering attacks.
“Whether that be through an organization rolling out a security awareness and training program, or be it through useful on-screen hints and tips on consumers login pages reminding them to not share personal details or login codes with others, and to be wary of emails claiming to be from the organization,” said Malik.
Additionally, EA introduced additional requirements to the account ownership verification process, such as mandatory managerial approvals for sensitive changes like email change requests.
The company will also update its customer experience software to identify suspicious activity, flag at-risk accounts, and eliminate the potential for human error in the account update process.
EA warned that the new security measures would affect its users’ customer experience. However, many FIFA gaming fans on Reddit were less critical of the proposed security changes, considering they would protect them from account takeover attacks.
Additionally, EA also promised to examine every claim of suspicious email change and reported account.
“This is a good opportunity for EA to review their policies on such high-profile attacks to understand the user and ask them out-of-the-box questions about their activity that would be much harder to find out,” Alliband added. “Also utilizing voice ID, biometrics, SMS authentication, and alternative email authentication can be a great way to make bad actors’ lives a little more difficult and add another layer of security measures for organizations when users are contacting customer support.”
However, some FUT gamers were apprehensive of the repercussions of the account takeovers. NickRTFM tweeted that someone tried to apply for a credit card using his details. Similarly, FUT Donkey complained that the victims had not received any communication from the company. The ranking gamer also threatened to sue the company for allegedly violating data protection laws, and claimed that one of the attackers used his leaked account details to register on various websites, such as IMDB, Quora, Blockchain.com, Pornhub, and XVideos.