Electronic Arts (EA) has confirmed that attackers are using phishing and social engineering tactics to execute account takeover attacks against high-level FIFA Ultimate Team (FUT) players.
In a statement posted on its website, EA revealed that less than 50 accounts were compromised through phishing techniques and employee error. However, reports of hacked lower-tier FIFA 22 accounts have also surfaced online, suggesting that the number of phishing account takeovers could be much higher than EA has admitted.
Subsequently, EA adopted strict account verification measures to protect accounts from illegal takeovers. The company also promised to contact the affected players and restore the accounts to their rightful owners.
At least two high-profile victims have reported on social media alleged identity theft stemming from the EA breach. One victim considered suing the company.
Attackers bypassed two-factor authentication using phishing social engineering techniques
EA confirmed that attackers used phishing and other social engineering techniques to bypass the account verification process and compromise high-level accounts.
“Using threats and other ‘social engineering’ methods, people acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts,” EA wrote.
According to Javvad Malik, a security awareness advocate at KnowBe4, social engineering attacks are the worst attacks against organizations and individuals. He recommended using strong, unique passwords and enabling multi-factor authentication (MFA) to thwart phishing attacks.
“However, even with these technical controls, it is still possible for an account to be compromised through social engineering.”
Eurogamer first reported the account takeover attacks after realizing several accounts had been stripped of FIFA Points and FIFA Coins. The attackers allegedly used Gamertags from FIFA ratings to convince EA staff that they were the rightful owners.
Additionally, EA Account Service representatives reportedly revealed account email addresses associated with gamertags, reset passwords, allowing attackers to complete the account takeover process.
EA implements strict security measures to protect players against account takeover attacks
EA recognized that the human factor was an element of risk in account security and admitted that it could do more to protect user accounts from social engineering attacks.
“Hackers are exploiting human vulnerabilities and in this case capitalizing on the fact that customer service teams are under considerable pressure to deliver a good customer experience and help people with their queries as quickly as possible,” said said James Alliband, Senior Manager Product Strategy at Tessian.
EA is implementing additional steps in the account management process and strengthening account security practices to protect its users from account takeover attacks.
All EA Account Service Workers will receive individualized refresher training and additional team training with a specific focus on account security best practices and defense against social engineering attacks such as phishing.
Malik stressed the importance of cybersecurity user training to protect accounts against phishing and other social engineering attacks.
“Whether through an organization rolling out a security awareness and training program, or through helpful on-screen tips and advice on consumer login pages reminding them not to share their personal information or login codes with others, and to be wary of emails claiming to be from the organization,” Malik said.
Additionally, EA has introduced additional requirements in the account ownership verification process, such as mandatory managerial approvals for sensitive changes such as email change requests.
The company will also update its customer experience software to identify suspicious activity, flag risky accounts, and eliminate the potential for human error in the account update process.
EA has warned that the new security measures will affect the customer experience of its users. However, many FIFA game fans on Reddit were less critical of the proposed security changes, believing that they would protect them from account takeover attacks.
Additionally, EA has also promised to investigate every reported suspicious email and account change claim.
“This is a good opportunity for EA to revisit its policies on such high profile attacks to understand the user and ask them out-of-the-box questions about their activity that would be much harder to uncover,” Alliband added. “Using voice identification, biometrics, SMS authentication, and alternative email authentication can also be a great way to make the life of malicious actors a little more difficult and add another layer of security measures for organizations when users contact customer support.”
However, some FUT players feared the repercussions of account takeovers. NickRTFM tweeted that someone tried to apply for a credit card using their contact information. Likewise, FUT Donkey complained that the victims had received no communication from the company. The ranking player too threatened to sue the company for allegedly violating data protection laws and claimed that one of the attackers used his leaked account details to register on various websites, such as IMDB, Quora, Blockchain.com, Pornhub and XVideos.