{"id":566,"date":"2022-01-18T20:16:33","date_gmt":"2022-01-19T03:16:33","guid":{"rendered":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/?p=566"},"modified":"2022-01-18T20:18:36","modified_gmt":"2022-01-19T03:18:36","slug":"fifa-ultimate-team-phishing-attack-what-went-wrong","status":"publish","type":"post","link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/2022\/01\/18\/fifa-ultimate-team-phishing-attack-what-went-wrong\/","title":{"rendered":"FIFA Ultimate Team Phishing Attack, What Went Wrong?"},"content":{"rendered":"\n
\"\"
Credit: Eurogamer<\/figcaption><\/figure>\n\n\n\n

On January 11th, 2021, EA has confirmed that several high profile accounts in FIFA Ultimate Team have been compromised after attackers targeted customer support, with several accounts worth in the range of one thousand dollars being completely drained of resources, or given to anonymous individuals online. <\/p>\n\n\n\n

\n

Just got hacked boys, finally people can stop blaming me for the hacks xD

I plan to take legal action, they gave my account to a random person via the live chat, a clear breach of data protection laws

Was a fun ride, see u guys in 23 I guess\u2764\ufe0f<\/p>— FUT Donkey (@FUTDonkey) January 5, 2022<\/a><\/blockquote><\/div>\n<\/div><\/figure>\n\n\n\n

The Attack<\/h2>\n\n\n\n

Attackers targeted customer service representatives “Utilizing threats and other ‘social engineering’ methods” in order to bypass 2FA systems and change the email associated with the accounts without the original owners immediate knowledge or consent, compromising approximately 50 accounts.[1]<\/sup> The attacks, sent primarily through the live chat feature, were initially ignored by customer support representatives, but some eventually caved due to the continued demands.[2]<\/sup> <\/p>\n\n\n\n

The Human Factor<\/h2>\n\n\n\n

No matter how secure a digital system could be on the technical side, if the humans operating the system result to be the weakest link in the chain of security, it could still prove disastrous to the overall integrity of the system. Social engineering is not a new concept, nor is it limited to only digital security, from potential attackers walking straight through reception, finding server rooms open and doors open, with systems containing potentially confidential data available in the open,<\/a> to more classical social engineering attacks such as the Nigerian prince, or various shady “Tech support” companies telling you your computers compromised. <\/p>\n\n\n\n

\"\"
“A bad day phishing is still better than a good day at work”
Credit: MySeasonedPalette on Etsy<\/a><\/figcaption><\/figure><\/div>\n\n\n\n

Because of the low skill requirement, yet high potential gain of phishing attacks, it is understandable that phishing is one of the most common security attacks[3]<\/sup>. UCalgary students who check their emails regularly may be familiar with emails promising lucrative job opportunities if only you reply back with your personal information, a common phishing scam that could propagate in various ways in order to compromise your digital security.<\/p>\n\n\n\n

The case with EA was unique in the fact that the customer service representatives had the ability to bypass 2FA systems as well as security measures that mandate additional action from the account owner, without any secondary checks from a second party such as a manager, which in the context of a security system seems like a fatal flaw disguised as a feature. <\/p>\n\n\n\n

Outcome and moving forward<\/h2>\n\n\n\n

As for EA and the Ultimate Team players who had their accounts compromised, the company has stated it will be working to restore the users accounts back to their pre-attack state after verifying ownership, as well as mandating training for any individuals responsible for handling user accounts and data to help fight against potential future attacks. EA has also stated that they are adding a second layer of managerial approval for any email change requests, and improvements to their automated customer support systems.<\/p>\n\n\n\n

However in the context of the greater internet, it would serve for everyone to remain further vigilant over both common and potential phishing attacks as they continue to rise in popularity.[3]<\/sup> Phishing attacks are also rapidly changing and evolving, from attacks such as spearphishing or whaling looking to disguise the attacker as a trusted source or gain rapport with the user, to attacks such as pharming, which skip the user entirely in order to target DNS servers or email code.[4]<\/sup><\/p>\n\n\n\n

<\/p>\n\n\n\n

References:<\/p>\n\n\n\n

[1]: https:\/\/www.ea.com\/en-gb\/games\/fifa\/fifa-22\/news\/pitch-notes-fifa-22-account-takeover-update<\/a><\/p>\n\n\n\n

[2]: https:\/\/threatpost.com\/phishers-ea-gamers\/177575\/<\/a><\/p>\n\n\n\n

[3]: https:\/\/www.cisco.com\/c\/en_ca\/products\/security\/common-cyberattacks.html#~types-of-cyber-attacks<\/a><\/p>\n\n\n\n

[4]: https:\/\/www.tripwire.com\/state-of-security\/security-awareness\/6-common-phishing-attacks-and-how-to-protect-against-them\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

On January 11th, 2021, EA has confirmed that several high profile accounts in FIFA Ultimate Team have been compromised after attackers targeted customer support, with several accounts worth in the range of one thousand dollars being completely drained of resources, or given to anonymous individuals online. The Attack Attackers targeted customer service representatives “Utilizing threats … <\/p>\n

Continue reading “FIFA Ultimate Team Phishing Attack, What Went Wrong?”<\/span><\/a><\/p>\n","protected":false},"author":325,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[15],"tags":[],"class_list":["post-566","post","type-post","status-publish","format-standard","hentry","category-cpsc-329-602-w22","entry"],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Alexander Eisner","author_link":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/author\/alexander-eisner\/"},"_links":{"self":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/566","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/users\/325"}],"replies":[{"embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/comments?post=566"}],"version-history":[{"count":1,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/566\/revisions"}],"predecessor-version":[{"id":592,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/posts\/566\/revisions\/592"}],"wp:attachment":[{"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/media?parent=566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/categories?post=566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpsites.ucalgary.ca\/isec-601-f21\/wp-json\/wp\/v2\/tags?post=566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}