Electronic Arts (EA) has attributed a recent series of takeovers of high-profile accounts of FIFA Ultimate Team players to “human error” within its customer experience team, some of whom apparently fell prey to a socially engineered phishing attack.
After a number of top traders of FIFA’s Ultimate Team game last week reported that their accounts had been taken over and cleared of points and thousands of dollars in game currency, EA launched an investigation.
The company discovered that phishers managed to “exploit human error” among EA’s customer support staff to compromise less than 50 top trader accounts, the company wrote in a post on its website Tuesday.
“Utilizing threats and other ‘social engineering’ methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts,” the company said.
Ultimate Team is an online soccer game that allows players to build virtual squads of real-life competitive players and then to compete with other teams online. Top traders rack up significant in-game currency and points by trading players and building various teams within the game.
What EA ultimately discovered was a scenario described online by traders, who shared screenshots online of strange account activity, such as attackers contacting EA’s customer staff via the live chat feature, demanding to have an account’s email address changed.
While staff ignored many of these requests, at least one customer support staff eventually caved upon persistent demands and changed an account-holder’s email address. This required the staffer to bypass security procedures that require additional verification from owners of the account, according to a Twitter user and Ultimate Team trader called FUT Donkey, who said he his account had been hacked.
“People spam the livechat asking to change my account details until some incompetent advisor finally gave them the account,” FUT Donkey tweeted.
The Human Factor
Indeed, when attackers use social engineering against support staff, “it’s always difficult to eliminate risk of account compromise,” a security professional acknowledged.
“By definition, customer support staff are expected to assist people who often have imperfect information about their accounts,” Jake Williams, co-founder and CTO at BreachQuest, wrote in an email to Threatpost. “Unfortunately, scammers can also amass imperfect information about their victim’s accounts.”
For its part, EA apologized “for the inconvenience and frustration the situation caused” and acknowledged that “there is always a human factor to account security and we know we must do better,” the company said in its post.
Further, EA will take steps to implement what Williams himself recommended to organizations with customer support staff to avoid such scenarios: namely, “to implement social engineering training for staff and implement policies to remove ambiguity in the support process,” he wrote to Threatpost.
Williams also advised that “operations that provide access to high-profile or high-value accounts should require review by multiple staff,” including a senior staff member.
Response and Impact
In response to the incident, EA will require “EA advisors and individuals who assist with service of EA accounts” to receive individual re-training and additional team training specifically focused on security practices and phishing techniques, the company said.
EA also will add steps to FIFA Ultimate Team’s account ownership verification process, “such as mandatory managerial approval for all email change requests,” the company said. It also will update its customer experience software to better identify and flag suspicious activity and at-risk accounts to “further limit the potential for human error in the account update process,” according to its post.
The debacle should be a cautionary tale for other gaming platforms: Just as top traders vie for honors and currency within the game, hackers who target these platforms also will continue to show off their skills, said another security professional in an email to Threatpost.
“Gamers and streamers are a massive global trend across social media platforms, capturing the attention of millions who want to know their secret techniques on how they get to the next level,” noted Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify. “Hacking is now also becoming a glorified streamed event with the world’s top hackers streaming their hacking skills online, showing off new techniques and methods on how to bypass security and get the initial foothold.”
Unfortunately for gaming platforms, this new trend will surely “grow and manifest in the year ahead,” he added in his email.
Image courtesy of Pixabay.
Password Reset: On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & Stream this FREE session today – sponsored by Specops Software.