CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Boy and father playing games showing account takeover via phishing and social engineering
Cyber SecurityNews
·3 min read

EA Confirms Account Takeover Attacks Compromising High-Profile Gamers via Phishing and Social Engineering Attacks

Alicia Hope·January 20, 2022
TwitterFacebookLinkedIn

Electronic Arts (EA) confirmed that attackers used phishing and social engineering tactics to execute account takeover attacks against high-profile FIFA Ultimate Team (FUT) gamers.

In a statement posted on its website, EA disclosed that fewer than 50 accounts have been compromised via phishing techniques and employee mistakes. However, reports of lower-ranking hacked FIFA 22 accounts have also surfaced online, suggesting that the number of account takeovers via phishing could be much higher than EA has admitted.

Subsequently, EA adopted stringent account verification measures to protect accounts from illegal takeovers. The company also promised to contact affected gamers and restore the accounts to their legitimate owners.

At least two high-profile victims reported on social media alleged identity theft originating from the EA breach. One victim has considered suing the company.

Attackers bypassed two-factor authentication through phishing social engineering techniques

EA confirmed that attackers used phishing and other social engineering techniques to bypass the account verification process and compromise high-profile accounts.

“Utilizing threats and other “social engineering” methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts,” EA wrote.

According to Javvad Malik, a security awareness advocate at KnowBe4, social engineering attacks are the worst attacks against organizations and individuals. He recommended using strong and unique passwords and activating multi-factor authentication (MFA) to defeat phishing attacks.

“However, even with these technical controls, it is still possible that an account can be compromised through social engineering.”

Eurogamer first reported the account takeover attacks after realizing that several accounts had been stripped of FIFA points and coins. The attackers reportedly used Gamertags from FIFA leaderboards to convince EA staff that they were the legitimate owners.

Additionally, EA account service representatives allegedly revealed the account email addresses associated with the Gamertags, reset the passwords, thus allowing the attackers to complete the account takeover process.

EA implements stringent security measures to protect players from account takeover attacks

EA acknowledged that human factor was a risk element in account security, and admitted that it could try harder to protect user accounts from social engineering attacks.

“Hackers prey on human vulnerabilities and, in this case, have capitalized on the fact that customer service teams are under considerable pressure to deliver a good customer experience and help people with their queries as quickly as possible,” said James Alliband, Senior Manager Product Strategy at Tessian.

EA is implementing additional steps to the account management process and reinforcing account security practices to protect its users from account takeover attacks.

All workers at the service of EA accounts will receive individualized re-training and additional team training with a specific emphasis on account security best practices and defending against social engineering attacks such as phishing.

Malik highlighted the importance of user cybersecurity training in protecting accounts from phishing and other social engineering attacks.

“Whether that be through an organization rolling out a security awareness and training program, or be it through useful on-screen hints and tips on consumers login pages reminding them to not share personal details or login codes with others, and to be wary of emails claiming to be from the organization,” said Malik.

Additionally, EA introduced additional requirements to the account ownership verification process, such as mandatory managerial approvals for sensitive changes like email change requests.

The company will also update its customer experience software to identify suspicious activity, flag at-risk accounts, and eliminate the potential for human error in the account update process.

EA warned that the new security measures would affect its users’ customer experience. However, many FIFA gaming fans on Reddit were less critical of the proposed security changes, considering they would protect them from account takeover attacks.

Additionally, EA also promised to examine every claim of suspicious email change and reported account.

“This is a good opportunity for EA to review their policies on such high-profile attacks to understand the user and ask them out-of-the-box questions about their activity that would be much harder to find out,” Alliband added. “Also utilizing voice ID, biometrics, SMS authentication, and alternative email authentication can be a great way to make bad actors’ lives a little more difficult and add another layer of security measures for organizations when users are contacting customer support.”

EA account service representatives allegedly revealed the account email addresses associated with the Gamertags, reset the passwords, thus allowing the #hackers to complete the #accounttakeover process. #cybersecurity #respectdataClick to Tweet

However, some FUT gamers were apprehensive of the repercussions of the account takeovers. NickRTFM tweeted that someone tried to apply for a credit card using his details. Similarly, FUT Donkey complained that the victims had not received any communication from the company. The ranking gamer also threatened to sue the company for allegedly violating data protection laws, and claimed that one of the attackers used his leaked account details to register on various websites, such as IMDB, Quora, Blockchain.com, Pornhub, and XVideos.

 

TwitterFacebookLinkedIn
Tags
Account TakeoverPhishingSocial Engineering
Alicia Hope
Staff Correspondent at CPO Magazine
Alicia Hope has been a journalist for more than 5 years, reporting on technology, cyber security and data privacy news.

Latest

National Stadium and residential buildings with mountains in the background in San Jose, Costa Rica showing Conti ransomware

Could a Cyber Attack Overthrow a Government? Conti Ransomware Group Now Threatening To Topple Costa Rican Government if Ransom Not Paid

USA map on digital display showing privacy regulations

Data Privacy Conundrum: When Different States Play by Different Rules. . .

Sad teenager crying in school yard showing impact of ransomware attack

Double Blow of Ransomware Attack and Covid-19 Pandemic Shutters 157-Year-Old Lincoln College

Network operations center showing cyber attacks on MSPs

Five Eyes Alliance Warns of Cyber Attacks on MSPs and Potential Espionage and Ransomware Deployment

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Stay Updated

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data

Stay Updated

Follow Us

© 2022 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    U.S. Data Breach Regulations EU GDPR Facebook
    See all results