FIFA 22 phishers tackle customer support with social engineering

FIFA 22 phishers tackle customer support with social engineering

Players of smash hit gaming title FIFA 22 have become the target of a wave of attacks focused on account compromise. Up to 50 “high profile” accounts were hijacked by what may have been the same group.

FIFA games are, traditionally, a big draw for scammers and phishers. Many sports titles offer in-game digital items and benefits, paid for with real money. Sometimes you buy specific items via purchases called microtransactions. Other times, it might be a form of lucky dip, where you spend money on boxes which contain random items. They can be worthless, or incredibly valuable, and you don’t know what you’ll receive till you buy the so-called lootboxes. Games like FIFA frequently draw ire for it, and players who buy a lot of lootboxes are popular targets for phishers. Wherever you have players investing large sums of money, you’ll find the sharks circling in the water.

Someone decided to make a big splash with this particular attack. This isn’t supposed to be a stealthy compromise and a slow burn of stolen and plundered accounts, the attackers took over some of the biggest names in the FIFA game space and fired half a dozen flare guns at the same time. As Bleeping Computer notes, targets included actual players, currency traders, and streamers. Someone wanted attention, and they went about it in a way which guaranteed it.

Setting the scene

The problem was so visible that EA published a statement on the attacks. One may have assumed the first point of entry would be phishing gamers with fake logins and stealing their accounts. This is where additional security measures such as 2FA come in. If the attackers gain login details via bogus websites, they still need to login to the real site as the victim. If 2FA (or similar) is active, they won’t be able to do it without the 2FA code.

This potentially gives victims enough time to realise something isn’t right, and change their login details leaving the phisher with nothing.

However, even with 2FA enabled, things can go wrong. Typically this approach again focuses on the victim. A fake login site will ask for username and password, but then also ask the victim to enter their 2FA code on the phishing site. This code will then be automatically entered onto the real thing, or punched in manually (and with haste!) by the attacker. Sometimes they even ask victims to upload files designed to keep attackers from logging in.

However, on this occasion, they set EA customer support agents in their sights instead.

Going head to head with customer support

The statement reads as follows:

Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques. Utilizing threats and other “social engineering” methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts. 

Attacking victims via customer support isn’t a new technique, but it was used to spectacular effect here. It’s not clear from the statement exactly how this played out. However, phishers often steal logins via fake sites first, then go to customer support pretending to be the victim who is “locked out” or has forgotten their details. They use pieces of the already stolen data to convince customer support they’re the real deal, and then take info from customer support to complete the attack.

The other approach is to talk to customer support with no action taken beforehand, and “simply” social engineer their way into full account control. Tricky, but not impossible, and a lot of it comes down to staff training.

Damage done, and further steps

Here’s the next part of the statement:

At this time, we estimate that less than 50 accounts have been taken over using this method…our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account.

Whether pre-armed with pilfered data or not, the scam involved altering the registered mails associated with accounts. More training definitely seems to be key here, as they go on to say:

All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.

We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.

Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.

All good moves by EA.

A wide world of 2FA protection

A caveat: phishers bypassing you completely and leapfrogging customer support means your 2FA may not help in that situation. On the other hand, keeping accounts locked down with tools like 2FA may contribute to them having to dream up scams like this in the first place. Making them work harder, and going the extra mile, naturally puts up a bit of a fatigue barrier. Many will also simply move on and target less secure accounts.

I can’t think of many gaming platforms or title specific services involving passwords which don’t also offer 2FA. Playstation has it, Xbox has it, as does Steam and Epic. Many platforms and titles offer bonuses for enabling additional security measures.

All of these forms of protection differ, with varying degrees of security. Some are SMS based, which are better than nothing, but ripe for exploitation via SIM swap. Phishers will come up with inventive ways to bypass apps, especially where some crossover to the desktop exists.

The best combination, if available, is probably a password manager and a hardware security key. Some password managers, for example LastPass, will prefill login details for you, but only if you’re on the genuine website. If you’re sent to a bogus site, nothing will happen and you’ll know you’re in the wrong place.

Meanwhile, the physical security key deals with authentication – no text messages or apps required. There’s a few examples of successful attacks on physical sticks, but they’re pretty rare. Again: this won’t help if the attackers haul themselves over the finish line through customer support. That’s out of your hands. Even so, you’ve locked things down at your end and that can only possibly be a benefit to you and a hindrance to those that matter.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.