Editorial: How FIFA 12 is at the heart of an Xbox Live money laundering scam, part one
by Xav de Matos, shacknews.com, Dec 28, 2011 8:00PM PST
On December 20, my Xbox Live account was hacked. The breach was sophisticated, more so than Microsoft wants to acknowledge, but at the heart of it is EA's popular sports franchise FIFA.
This breach isn't a new, hip hack that is sweeping the net, it has been happening for quite some time. My Xbox Live account housed over 3,000 MS Points and in one fell swoop, my balance was wiped clean.
Utilizing FIFA 12, players can purchase and trade digital cards with other Live members. Though this feature is also available in games like Madden NFL 12, the worldwide popularity of FIFA 12 has made it a breeding ground for criminal scum. Players get into Xbox Live accounts, purchase card packs, trade them to other accounts, and later sell the content for real money. Xbox Live breaches are not new, but the FIFA 12 hack is putting everyone on Xbox Live at risk in a new way.
These content packs have a monetary value attached to them, giving hackers a new reason to hunt for accounts. Hackers can jump into an account, run a balance, sell the content, and jump out. In some cases, they take an account over. Why this didn't happen to me is because my account doesn't have a valid credit card associated with it.
When I first discovered an issue with my account, I took it to Twitter. It was Shacknews editorial director Garnett Lee who first tipped me to the FIFA 12 hack. "Check your Xbox Live account, see if FIFA is in your recent played games." Not only does FIFA 12 appear on my list--a game I have never played--I have two achievements in the game. Both achievements are associated with FIFA's 'Ultimate Team' feature, which the digital card packs are linked to.
"In looking at your account I can see that the attacker came in already knowing the password," Xbox Live Director of Policy and Enforcement Stephen Toulouse told me.
According to Toulouse, in an interview with Giant Bomb's Patrick Klepek, there are three core ways an attacker can learn your password: phishing scams, social engineering, and using the same password for multiple accounts.
In my case, Toulouse says phishing was most likely the culprit. "Phishing comes in a lot of different flavors. Some people think ‘Well, gosh, I didn’t type my password into a website,’ but if you’ve visited a website that had a banner ad, for instance, that exploited an exploit on your machine, there could be malware on the system, and that could result in your password being captured," he told Giant Bomb. The other, more traditional phishing scam comes from people posing as someone else or creating fake landing pages to catch your account information. Since the email account is not one I use on a regular basis and, because I'm very familiar with the practice of email scams, this seems like the least likely of the three. Upon his recommendation, I checked all of my computers for malware that could capture my email and all three systems were clean.
Though I use a similar style of password for multiple accounts, I do not use the same password for more than one account. Again, however, this email is not an address I have linked to other accounts, so this seems unlikely.
Social engineering in this sense, for those of you unfamiliar with hacker Kevin Mitnick, is the practice of convincing others to share information with you that should not be shared. An email address associated with an account or a password, for example. To me, this seems the more likely of the three, but there's no way for me to know for sure.
"To be clear I'm not saying anything was your fault here, I'm saying someone already had your password. And while we're constantly thinking about security and working to evolve it, we've seen no indication in these types of attacks that any information breach has occurred on Xbox Live," Toulouse told me.
[Update] EA representatives have responded prior to this article being published. The company says it is working on the situation. A detailed response from both EA and Microsoft will be published tomorrow.
A number of friends at Microsoft told me they were willing to fix the issue for me in no time. Some readers contacted me, letting me know that they had been waiting 25+ days to have their Xbox Live profiles reactivated after reporting similar issues. I asked Microsoft not to give my account preferential treatment, there's no reason why my account should be investigated faster than others.
"In regards to the time it takes to recover I see that you already recovered your account and are in control. That's not uncommon. Therefore it's a matter of refunding the points purchases. In many cases that just takes a couple days or so." Toulouse told me. Where account recoveries take more time, he says, is when an attacker changes account details like the password, region, changes personal information, buys associated licenses in different regions, disrupts friends lists, and more.
"Add to that the fact that on a constant basis the attackers are calling into us, pretending to be compromised so they can see how our processes work. That's not to say we shouldn't work harder to get people up and running in a shorter time, it's just a lot more complex than people realize."
So, if FIFA 12 is at the heart of this particular attack, why does Microsoft allow features like this to exist? "We do work closely with the anti-fraud teams of publishers who enable content like FIFA in their games. It's a constantly evolving threat landscape."
In this regard, this attack is extremely sophisticated. Attackers have found a wedge between two corporate entities, where Microsoft avoids placing blame on EA's game feature, while EA can simply say it's Microsoft's system that is seeing issues. Additionally, the same problems do not appear to be occurring on PlayStation 3, where FIFA 12 is also available. The attackers are using FIFA 12 and Xbox Live to launder money.
"In regards to license transactions I'm sure you can understand I cannot discuss that, but suffice to say both sides work together to help ensure the attackers do not profit," Toulouse said.
According to Toulouse, there is more that attackers can do in order to slow the process; however, sharing details to the press can benefit the attackers, themselves. "As much as you, and even I, would like for us to be more detailed, everything I might say that provides clarity into what takes longer would get used to harm customers. If i say recovering an account takes longer because of x, y, and z, then xyz becomes exactly what every attacker does. As much as I have already said in regards to what makes it take longer, there is much I have not said."
This, is only the core problem. Tomorrow we detail the problem solvers, namely EA and Microsoft attempting to fix this issue.