Even the hackers are targeted by phishers
On 31st October 2014 we noticed a Tweet from one of the groups we are tracking which claimed that the popular football game FIFA was “offline”. Given the unspecific nature of the Tweet and the lack of any evidence suggesting that the online services of the game had been affected by any kind of cyber attack, we assessed that it was likely a false claim.
However, the claim itself was not nearly as interesting as the replies it received. Two accounts, both purporting to be official EA Sports FIFA accounts, had responded – one advised the original author to “contact a game advisor” and the other offered free in-game items, presumably to apologise for the supposed downtime. Neither of these replies came from EA Sports, and both contained a URL which linked to a false login page designed to dupe players into giving away their credentials for the game.
The second link looked far more similar to the genuine Origin login page than the first, and upon investigation of the account – which used the misleading handle @EASPORTSFIFA15U (shown below) – it became clear that whoever was behind it was attempting to pass the account off as the official EA Sports FIFA account (@EASPORTSFIFA, upper image).
We even saw the false account retweeting messages others had sent to the genuine account in an attempt to add further credibility to its claims.
Both of the groups attempting to harvest credentials had one thing in common. They would send the same reply to multiple users experiencing problems with, or complaining about, FIFA 15 on Twitter. While it is difficult to know precisely, the rate at which this was being done suggests that the perpetrators had set up a Twitter bot to watch for Tweets containing key words such as “offline”, “fix”, or “servers”, and reply to them, as they would likely be from disgruntled players. Those who fell for the scam would likely have any in-game items stolen and could even lose access to their accounts. Like all phishing scams, users with poor password hygiene – that is to say, those who used the same passwords over and over again for different services – would risk having multiple accounts compromised.
It is likely that few reading this blog are likely to be affected by a phishing scam targeting FIFA players, but the point of this is not really to highlight this particular scam. It is important to focus more on the technique being used, as it was something we had not seen before. Using a Twitter bot and monitoring the site for disgruntled comments targeted at an organisation is a novel way of carrying out spear-phishing en masse. While at the moment this is happening for FIFA, it is wholly possible that similar systems could be set up to impersonate customer services departments for banks and other organisations.
There are two key points that can be taken from this incident. Firstly, it is yet another reminder to be diligent when entering credentials online. In this instance however, neither website made much of an effort to masquerade as the official Origin login, so hopefully this phishing campaign will enjoy little success. The FIFA phishing campaign also highlights the importance for organisations to have an established and verifiable social media presence, and to reply to disgruntled customers in a timely fashion.