Anti-malware vendor Malwarebytes today details that a new Twitter account has been hijacking fans' conversations on EA Sport's official feed, and attempting to direct them to phishing pages in an effort to harvest email addresses, passwords and answers to certain security questions.
The fake channel goes by the name of ‘EASPORTSF1IFA'; it looks like the legitimate EA Sports World Cup account (@EASportsFIFA) and directs users to two compromised web pages (ea-sports-web-app.weebly.com and ea-ultimateteam.weebly.com) by posting Bitly links. Malwarebytes says that these links have been clicked on almost 500 times.
The tactic of intercepting messages is not especially new, with fellow Malwarebytes analyst Chris Boyd documenting back in April that the fake @EAFIFAHELPUK did much the same.
However, the firm is keen to stress that there are errors in this type of attack if you look hard enough – they say that the number in the Twitter handle is suspicious and add that there's a spelling mistake in the bio, with the latter a sign that users should concentrate more on these two and less on the appearance of Twitter avatars.
The account has since been suspended.
Jovi Umawing, malware intelligence analyst at Malwarebytes, told SCMagazineUK.com that phishers are increasingly using social media to compromise gamers who regularly interact with the top games publishers.
“This is an emerging and novel way of phishing for gaming account credentials in ‘real-time' using social media,” she said via email.
“Scammers are after Origin accounts because they can sell these on in the underground market. The price these fetch depends on the number and type of EA games tied into them, as well as the credentials of the individual on sale. Typically though, the more games which are tied to such accounts, the more money they make.
“Anyone looking to converse with a brand on Twitter should make sure that the account they are interacting with is an officially verified feed, with the little blue ‘tick' in the corner. There are also numerous signs of illegitimacy, like the "1" on the Twitter profile name in this case, as well as bad spelling or grammar.”
Rik Ferguson, VP of security research at Trend Micro, said that these kind of attacks are “nothing new” having seen similar instances at the World Cup in South Africa four years ago, but agreed that attackers see social as a new attack vector.
“What is changing is the methods which attackers use…the trend is to follow consumer behaviour,” he said to SC, adding that phishing attacks are migrating from email and web pages to social and mobile apps.
He said that trust on social platforms gives attackers ‘extra leverage' and believed, like Umawing, that Origin log-in details would fetch significant money on the black market, as Xbox, Steam and PlayStation credentials have done previously.
“Every and any account with a significant audience is up for grabs,” he said.
Ferguson urges users to be careful of what shortened links they click, visit official websites where possible and employ the relevant security solutions to check for odd PC behaviour and network activity.
“I think the big thing with social is that it really benefits the attacker… it's trusted,” he said, noting the ability of a follow-on attack should the hacker communicate with other Origin account holders.
This isn't the only World Cup-related scam doing the rounds on the Internet in recent days. SCMagazineUK.com notes that the @EASPORTSFIFFAA Twitter account also appears to be directing users to log-in to a potentially bogus web page via Bitly links, and the page carries the same logo as the official EA Sports account.
Meanwhile, Trend Micro issued its own alert on FIFA World Cup scams just yesterday, after discovering several fake websites offering to sell game tickets.
One website was offering would-be fans a ticket to the final at 8,630.20 reais (approximately £2,300) - some 4,000 percent higher than FIFA's official prices, and one user of the website complained that he hadn't received the three tickets he had purchased for the Portugal vs. Germany match.
The victim also claims that this scam site left no phone number to be contacted. Another complaint, on the same site, says the only way for the scammers to be contacted is via chat or email.