Bulletin
What’s the news?
Electronic Arts (EA) announced that cybercriminals “exploited human error” among EA’s customer support staff, using socially engineered phishing emails to compromise less than 50 top trader accounts. A series of takeovers of high-profile accounts of FIFA Ultimate Team players led to accounts being cleared of points and thousands of dollars in game currency.
What’s the threat and why is it effective?
“Hackers prey on human vulnerabilities and, in this case, have capitalized on the fact that customer service teams are under considerable pressure to deliver a good customer experience and help people with their queries as quickly as possible.
In the case of this attack, bad actors preyed on human nature and applied brute force until they found a customer support person who would give in to their requests. What this attack highlights is that, even with awareness of a risk and processes in place to address this kind of risk, it’s a very difficult problem to solve on a large scale. Organizations with large customer-facing support functions have a much bigger burden, are interacting with customers on multiple communications channels, and often need to implement more layers of preventive controls to address the risk of process deviations.
This appears to be a targeted attack where attackers have gained a vast amount of information about the account holder to ensure they can answer multiple questions, so the back actor is able to pose as the account holder when required to do so. As these are ‘high profile’ top 50 user accounts which can earn from playing online as well they become more valuable.
What can be done to mitigate the threat?
This is a good opportunity for EA to review their policies on such high profile attacks to understand the user and ask them out of the box questions about their activity that would be much harder to find out.
Best practices here include requiring additional confirmation to validate changes to users’ contact details via an email to the original email address and also ensuring that users are notified whenever account changes occur. While those notifications might be ‘annoying’ for some consumers, these types of features ultimately help users catch this kind of compromise and take action on their end when things don’t look right. As a result, the customer has an opportunity to catch what support teams can not.
