This week, let’s look at a recent example of phishing. Using social engineering, this attack compromised accounts protected by 2 Factor Authentication. In this particular case, the hackers targeted the software’s customer service team rather than the customers.
On January 11, Electronic Arts (EA), the famous video game maker, reported illegal account takeover of about 50 FIFA 22 players. The breached accounts were all high profile player accounts. The list of the victims includes real footballers such as Valentin Rosier.
As per Bleeping Computers, counting the reports of hacked lower-tier accounts, the total number might be higher than 50.
FIFA 22 is a popular soccer simulation game from Electronic Arts (EA). It features multi-player modes and allows players to compete in real-time. It also allows players to trade in-game items.
How social engineering helped criminals hack FIFA 22 accounts
As per the EA statement, cybercriminals used threats and social engineering – a set of very effective phishing techniques – against their customer experience team to compromise the accounts. This includes bypassing the two factor authentication put in place by the players.
What is social engineering?
Social Engineering is a form of phishing attack. In a social engineering attack, criminals clock their bait as messages sent by a person or business known to the target. First, they trick the victim into believing that they are interacting with the right person. Then, they use that trust to con the victim.
If careless, you might end up transferring funds, sharing your SSN or bank details with the attacker. Criminals use social engineering for hacking businesses as well. This includes stealing Office 365 passwords, Apple IDs, installing malware, and ransomware attacks.
To trap a victim, the attacker generally use emails, phone calls and text messages. They might resort to a combination of them all as well.
How social engineering attacks work
Here’s how most social engineering attacks work. First, the criminals look into the personal and professional life of their target. Then, they build trust with the victim. Upon gaining his or her trust, the attackers, then, send a malicious email or message to the person.
Beware, such attacks are common in cases of identity theft, and account takeovers. The most recent examples includes, Medicare scams, and relief payment messages. Harnessing the anxiety about the Coronavirus, they trick people into giving money and sharing personal information.
Social engineering is used to infiltrate business networks as well. Cybercriminals use it to steal business secrets, installing malware and ransomware attacks. It’s used to trick employees into making wire transfers to fake accounts as well.
In this particular case, the attackers used social engineering to trick the members of EA’s customer service into revealing login IDs and passwords of FIFA 22 players. The attack succeeded in bypassing players’ two-factor authentication as well.
How is Electronic Arts responding to the attack?
Although EA has not revealed the exact social engineering techniques used by the attackers. Generally, such attacks can involve an attacker masquerading as the target. The attacker would try to trick the customer support staff into changing the targeted person’s login password. In other cases, they would attempt to fool the staff into replacing the victim’s registered email address with their own. Then, the new email address is used to change passwords and bypass the two-factor authentication.
To prevent such an incident from repeating, Electronic Arts has promised to update their processes, and take necessary measures for training their staff.
Here’s the list of the steps it promises to take against similar phishing attacks.
- EA plans to train and re-train staff on account security practices, and how to fight phishing
- Add new verification steps to ensure account ownership
- Strengthen their process of dealing with requests for changing users’ registered emails
- Update necessary software to identify and address malicious behavior
- Address the potential for human error when updating user accounts
Also, EA promises to restore the access of the compromised accounts to their owners.