Elder Scrolls Online Targeted by Cybercrooks Hunting In-Game Loot

A phishing attack is masquerading as messages from the game’s developers.

Phishers are out in force to scam aficionados of the Elder Scrolls Online video game into giving up their account details.

The crooks are posing as developers for the game under the moniker “ElderScrollDevs,” and targeting those with PlayStation consoles (and possibly others), according to a Reddit post by a scam recipient. They’re sending random private messages to users warning of a purported security issue.

“We have noticed some unusual activity involving this account,” reads the “warning.” “To be sure you are the rightful owner, we require you to response [sic] to this alert with the following Account information so that you may be verified.”

The victims are then told that they have 15 minutes to fill in their email address, password and date of birth on the account, or else they will be blocked from the game:

The phishing message. Click to enlarge.

“Under the current circumstances, you have 15 minutes from opening this alert to respond with the required information. Failure to do so will result in an immediate Account Ban, permanently losing online access to our servers on all platforms, along with all characters associated with the account in question. Please be sure to double check your information spelling before sending.”

The Elder Scrolls Online is a high-fantasy role-playing game (complete with elves, dwarves, orcs and so on), set on the continent of Tamriel. It was developed by ZeniMax Online Studios, and features a storyline indirectly connected with the other games in the Elder Scrolls franchise. According to the Steam platform, it has 13 million active players, representing a rich well for cybercriminals to draw from.

The phishing gambit is ultimately aimed at stealing in-game goods – either earned or purchased – to sell on the Dark Web.

“Massively Multiplayer Online games (MMOs) present a great opportunity for malicious individuals,” Tyler Reguly, manager of security R&D at Tripwire, said via email. “RMT (Real Money Trading) is growing in the video game industry, an industry historically lax with security. While RMT is nothing new, there are constantly new ways for hackers to take advantage of it and credential abuse is just the latest approach. Once the attacker gains access to your account, they strip your in-game assets and transfer them to a disposable character. From there, they sell them on the black market for real money.”

Respondents to the original Reddit post noted that the random capitalization and other grammar mistakes are an obvious red flag, but that the note is more convincing than other gaming-related phishing campaigns, such as one that is circulating for World of Warcraft.

“As long as RMT in MMOs in lucrative, we’ll continue to see typical enterprise attack techniques (such as phishing) migrate to the gaming world,” Reguly noted. “We can no longer think of gaming as a pastime to be mostly ignored, with eSports and the growing investment that older gamers have made in long time MMOs, it is an industry that is ripe for malicious financial gain.”

To stay safe, users should remember that legitimate gaming companies do not send private messages asking for account details. Enabling two-factor authentication (2FA) is always a good idea too.

“Some companies are waking up to this see the bigger companies implementing 2FA using their own mobile apps, something that both Steam and Blizzard have done,” Reguly said. “Others, like CCP Games, makers of EVE Online, have introduced 2FA using industry-standard methods and have an entire team dedicated to tracking down those engaged in RMT. It can be difficult to get players to adopt these methods, or even use unique passwords, so some companies have been creative in their attempts to get users to adopt. CCP Games allows users to set their own custom seed, so that multiple accounts can use the same 2FA token. It may not be as secure as individual 2FA tokens, but it is vastly superior to just using a password.”

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.