FIFA Ultimate Team Phishing Attack, What Went Wrong?

Credit: Eurogamer

On January 11th, 2021, EA has confirmed that several high profile accounts in FIFA Ultimate Team have been compromised after attackers targeted customer support, with several accounts worth in the range of one thousand dollars being completely drained of resources, or given to anonymous individuals online.

The Attack

Attackers targeted customer service representatives “Utilizing threats and other ‘social engineering’ methods” in order to bypass 2FA systems and change the email associated with the accounts without the original owners immediate knowledge or consent, compromising approximately 50 accounts.[1] The attacks, sent primarily through the live chat feature, were initially ignored by customer support representatives, but some eventually caved due to the continued demands.[2]

The Human Factor

No matter how secure a digital system could be on the technical side, if the humans operating the system result to be the weakest link in the chain of security, it could still prove disastrous to the overall integrity of the system. Social engineering is not a new concept, nor is it limited to only digital security, from potential attackers walking straight through reception, finding server rooms open and doors open, with systems containing potentially confidential data available in the open, to more classical social engineering attacks such as the Nigerian prince, or various shady “Tech support” companies telling you your computers compromised.

“A bad day phishing is still better than a good day at work”
Credit: MySeasonedPalette on Etsy

Because of the low skill requirement, yet high potential gain of phishing attacks, it is understandable that phishing is one of the most common security attacks[3]. UCalgary students who check their emails regularly may be familiar with emails promising lucrative job opportunities if only you reply back with your personal information, a common phishing scam that could propagate in various ways in order to compromise your digital security.

The case with EA was unique in the fact that the customer service representatives had the ability to bypass 2FA systems as well as security measures that mandate additional action from the account owner, without any secondary checks from a second party such as a manager, which in the context of a security system seems like a fatal flaw disguised as a feature.

Outcome and moving forward

As for EA and the Ultimate Team players who had their accounts compromised, the company has stated it will be working to restore the users accounts back to their pre-attack state after verifying ownership, as well as mandating training for any individuals responsible for handling user accounts and data to help fight against potential future attacks. EA has also stated that they are adding a second layer of managerial approval for any email change requests, and improvements to their automated customer support systems.

However in the context of the greater internet, it would serve for everyone to remain further vigilant over both common and potential phishing attacks as they continue to rise in popularity.[3] Phishing attacks are also rapidly changing and evolving, from attacks such as spearphishing or whaling looking to disguise the attacker as a trusted source or gain rapport with the user, to attacks such as pharming, which skip the user entirely in order to target DNS servers or email code.[4]

References:

[1]: https://www.ea.com/en-gb/games/fifa/fifa-22/news/pitch-notes-fifa-22-account-takeover-update

[2]: https://threatpost.com/phishers-ea-gamers/177575/

[3]: https://www.cisco.com/c/en_ca/products/security/common-cyberattacks.html#~types-of-cyber-attacks

[4]: https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/

Join the Conversation

32 Comments

  1. Great to see someone write a blog about a game which almost everyone plays these days. Considering EA has made so many games in the past, they still weren’t able to prevent this kind of attack from happening. Since the popularity of gaming is increasing daily, gamers use platforms like youtube, twitch, Facebook etc to live stream their games. Attackers saw this as an opportunity and hacked multiple FUT accounts. Even though this is not ethical and is a horrendous incident, it is remarkable how hackers were able to hide a phishing email in plain sight without anyone even noticing. I feel bad for gamers who spend countless days and nights working on their FUT just to wake up and see some stranger in control of their account. Apart from money, serious gamers put in a lot of effort behind their teams. Considering EA still isn’t able to fix their decade old glitches, I am somewhat relieved to hear that EA is actually doing something to make up for their mistake.

    Anyways I found your post very interesting and informative since I am a huge FIFA fan. Plus if you’re down for 22 let me know the time and place and I’ll be there 🙂

  2. Hi,
    Cybersecurity issues in gaming is an issue that many often “put to the side” because some might assume that less information is being accessed. However, many players put in a lot of time and energy into their games and it can easily go all to waste with their accounts being hacked. With video game technology developing, internet usage is very important in the gaming community. Although it adds another exciting element to playing games, it brings up security issues, like attacks and information leaking. Now games have been easily accessible and attractive to younger audiences, and they may be easier to manipulate or ignore important steps to protect their accounts. I do think this is an issue that some might overlook and young children should be taught how to take extra steps to protect their accounts, even if it can happen to everyone. Game producers should also take extra steps before releasing games to protect their customers and their accounts.

  3. Really well written post Alexander! I don’t think a lot of people consider the “social engineering” aspect of privacy and security. A lot of it can be easily picked out (such as bogus emails that are obviously phishing), but depending on how the attack is administered and who it is targeted to, it can be very easy to get information from the victim (IE A less-than-tech-savvy grandparent accidentally clicking on a link in their email claiming they need to confirm their banking info). I definitely agree we need to stay ever vigilant when it comes to these things, and having a bit of “healthy” paranoia isn’t necessarily a bad thing.

  4. Social engineering plays a big role when it comes to phishing attacks. The link to redirect you from the phishing email often looks like a legitimate site, convincing you to enter your login credentials. I think it’s important to note that we should avoid clicking any links or opening attachments unless we are absolutely sure about who it is from.

  5. Social engineering plays a big role when it comes to phishing attacks. The link to redirect you from the Phishing email often looks like a legitimate site, convincing you to log in with your credentials. I think as a general rule we should avoid clicking links or opening attachments unless we are absolutely sure about who it is from. I had heard about FIFA phishing attacks but didn’t know they weren’t taking measures until now. Great post!

  6. Hi!
    Fifa is one of the most popular games in the world and as a person who started playing since 2012, I do feel proud of how improved their quality have gone up. Even if I feel proud, there are pros and cons of being one of the most popular games. They really do want us to spend alot of money and like the problem you have talked about, this can be a serious issue! As you stated before, EA adding a second layer of mangaerial approval for any changes to the account, they should’ve done it way long ago, I haven’t seen many cases like this, but big companies like riot games, blizzard etc should maybe improve on their securities so incidents like this could be prohibited!

  7. This is a really interesting post Alexander!
    Usually phishing has just been a very common issue over sometime now and it keeps passing on from emails to even plain texts, embedded as forms of links. Hence in gaming, often there are multiple ways a user could be redirected without of getting to know about it. And obviously there has got to be an intrusion into the game initially and then this task could be performed. In that case, the intrusion may be becasue of a weaker link on the gaming server. Often online games, have become super enthusiastic in a realistic way that due to excitement, when inputting the credentials, we pay very less attention to certain details about why the credentials are asked for. In such scenarios, gaming platforms should provide an enhanced layer of verification for its customers so that they don’t face any worse consequences.

  8. Phishing messages can break through a variety of lines of defense in network security, it seems that in the link of network security, talent is the weakest factor. As account owners, we want to have complete control over our accounts, but mistakes happen all the time, and we expect the operators to still have other means. It’s not the kind of control we want, but it’s definitely safer for our accounts. I like steam’s emphasis on the initial email, which allows users to regain ownership of their accounts unconditionally as long as they own the initial email.

  9. That was very interesting post! it appears that phishing is very much trending on the rise and very common nowadays. Got to know that phishing is one of the tools used by state-backed hacking groups to spy on opponents of interest. I believe that this incident merely emphasis the fact that we can no longer totally guarantee the protection of our personal information.

  10. That was very interesting post! It appears that phishing is very much trending on the rise and common nowadays. And I got to know that phishing is one of the tools used by state-backed hacking groups to spy on opponents of interest. I believe that this incident merely highlights the fact that we can no longer totally guarantee the protection of our personal information anymore nowadays.

  11. This is a great post on a very interesting topic.
    Phishing has been on the rise since a some time now, and social engineering plays a big role in it. It is shocking to see a big company like EA, who has been making games over a decade, weren’t able to prevent this. It is good to see that EA is owning up their mistake and working on it to prevent this from happening in the future, although they should have done this long time ago.

  12. When I heard the news about this phishing attack on FIFA, I was genuinely shocked. This is a game that has been popular in the gaming industry for so long. I personally enjoy this game a lot and in previous FIFA games, I have grinded out ultimate team so much. I can say for certain, that getting a good team on ultimate team takes a lot of time and effort. Recently, I haven’t been able to play as much due to school and work but who knows, maybe during the summer, I’ll play again. Seeing all the hard work that these individuals put into their accounts, only for their accounts to be stolen and given to someone else is just very sad. I agree with your closing statement that phishing attacks are getting more and more dangerous. I would never have expected a game as big as FIFA to get hacked like this.

  13. This is a great topic to post on with this being the biggest sports game in the industry. As someone who plays FIFA, I found it shocking that their own company can just give out account information without any verification that they are in fact the owners of the account. Many big content creators ended up losing in game currency that was worth lots of money. Needless to say it shows how dangerous phishing attacks can be and why it is important to always have two factor authentication (even if it didn’t work this time). Very surprising that such a big company would be giving account information out with no verification.

  14. This was a nice post, Alexander. I did not know a company as big as EA would have a problem with phishing attacks. EA should have had a second layer of managerial approval for any changes to the account when FIFA became a popular game. Also, I think it is also important for us to notice which websites are fake, and giving your login credentials to any website without knowing anything about that website would not be a wise decision.

  15. Great post Alexander!
    As someone who has previously got hacked on ultimate team, it was very interesting to see how the hackers might have gained access to my account! Unfortunately, EA does not seem to care that much about customers who have suffered from phishing attacks. I personally only received half the items back from EA and their customer service seemed quite unresponsive. Your blog made me think that it can be so easy to gain access to someone else’s account and disappointing that a big company like EA does not look that bothered to heavily improve its security system. I’ve quit FIFA now, but for people who still play the game, I hope EA learns from their mistakes and makes the game safe for everyone!

  16. It is an interesting post that talks about a very common game but still lacks security and user privacy protection. I’m also an example of a user information breach, as I have lost my EA’s account for an unknown reason. EA offers no customer support even though it’s not my fault that the data breach happened. In my opinion, people should care more about their personal information protection rather than the contents that the company offers. It will be an incentive for big companies to care more about privacy protection.

  17. Great post!
    I am facing a similar problem with my Steam account. My E-mail which is associated with my Steam account has been receiving a lot of Phishing e-mails for a long time, and these e-mails are all about CSGO weapon skins. I always wonder how these attackers know that I am interested in playing CSGO and I have many CSGO weapon skins. I believe some staffs in Valve have some kind of relationship with these attackers. Thus, like what EA said, improving the automated customer support systems is a good way to prevent Phishing attacks. Believing in people is not a good idea.

  18. Hey, great post. It is interesting that phishing is being used for online gaming. I would have assumed that phishing was primarily done with big companies like Netflix or Facebook. But the very fact that this is spilling over onto online gaming is a cause for concern. Since many children play video games, they can be made the primary target of phishing as they are much more likely to fall for these scams. It is quite sad that the most vulnerable are being predated financially. I think EA needs to step up and protect their user’s privacy and provide support for individuals that have fallen to these scams while using their merchandise.

  19. Interesting Post! EA estimates that fewer than 50 accounts have been taken over in this fashion, and it is now working to figure out who the proper owners are, and to restore all stolen content. It also promised that steps will be taken to ensure this sort of thing is less likely to happen again in the future.

  20. Pingback: sex boy
  21. Pingback: thuốc nổ
  22. Pingback: visit website
  23. Pingback: Formula 1 shake
  24. Pingback: fenix168
  25. Pingback: โคมไฟ

Leave a comment