Hackers Explain How They Stole Wealth of Data From EA (vice.com) 50
The group of hackers that stole a wealth of data from game publishing giant Electronic Arts broke into the company in part by tricking an employee over Slack to provide a login token, Motherboard reported Friday. From the report: The group stole the source code for FIFA 21 and related matchmaking tools, as well as the source code for the Frostbite engine that powers games like Battlefield and other internal game development tools. In all, the hackers claim they have 780GB of data, and are advertising it for sale on various underground forums. EA previously confirmed the data impacted in the breach to Motherboard.
A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10, and using those to gain access to a Slack channel used by EA. In this case, the hackers were able to get into EA's Slack using the stolen cookie. "Once inside the chat we messaged a IT Support members we explain to them we lost our phone at a party last night," the representative said.
A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10, and using those to gain access to a Slack channel used by EA. In this case, the hackers were able to get into EA's Slack using the stolen cookie. "Once inside the chat we messaged a IT Support members we explain to them we lost our phone at a party last night," the representative said.
Shitty process (Score:5, Insightful)
Sounds like some IT team members will be looking for new jobs, not to mention whatever managers thought that Slack was an acceptable channel for such unverified requests.
Re: (Score:3)
Yup, that should be handled face to face. None of this remote work business. ;-)
Re: (Score:2)
Re:Shitty process (Score:4, Informative)
Re: (Score:3)
What makes you think the phone had access to company property? My phone has no access to any company property, but it can be used for 2FA. This sounds like the same thing, he claimed he couldn't do the 2FA because he didn't have the phone. The failure was that someone was social engineered into allowing access without the 2FA.
Re:Shitty process (Score:5, Insightful)
If a user called me and didn't have the 2FA device, and didn't have access to any recovery codes, they wouldn't be getting anything from me without a multi stage verification process, which would involve showing up on Video and having multiple people agree he works for us.
Re: (Score:2)
Who says managers thought Slack was an acceptable channel for such requests? Someone got a message and acted on it, what makes you think they had management approval to do that?
Re: (Score:2)
Shhh. Let them rant. It makes them feel better when they don't have to accept responsibility and can blame someone else. Like when programmers always say it's not their fault X happens in software. They were told to do that by management.
Tricking a SOON-TO-BE FORMER employee (Score:3)
FTFY.
Slack seems insecure⦠(Score:3, Insightful)
I really wish they quit calling "hackers" (Score:5, Insightful)
any Tom Dick and Harry who breaks into computers they have no business using and breaks or steals shit. Those are thieves, blackmailers, exortionists, racketeers, vandals... but they sure ain't hackers: in most case, there is little to no technical know-how involved: just a bit of luck, a dictionary of default passwords or basic social engineering.
Hacking used to be a noble technical activity. Now hacker has come to mean computer criminal. It's really deplorable.
Re: (Score:2)
Hacking used to be a noble technical activity. Now hacker has come to mean computer criminal. It's really deplorable.
Whaaa! They stole ma definition!
Re:I really wish they quit calling "hackers" (Score:5, Informative)
Give it up, man. Language evolves and the general accepted meaning of "hacker" today is someone who breaks into computer systems.
Believe me, I used to fight this definition too, back in the day. But it's a lost cause. It just makes you look pedantic when you make this statement these days.
Plenty of other words you can use, like "guru" for example.
Re:I really wish they quit calling "hackers" (Score:4, Informative)
any Tom Dick and Harry who breaks into computers they have no business using and breaks or steals shit. Those are thieves, blackmailers, exortionists, racketeers, vandals... but they sure ain't hackers: in most case, there is little to no technical know-how involved: just a bit of luck, a dictionary of default passwords or basic social engineering.
Little history lesson. We used to call them script kiddies. Not sure why we stopped because it was a decent label to segregate lucky morons from people who know what they're doing.
Hacking used to be a noble technical activity. Now hacker has come to mean computer criminal. It's really deplorable.
Settle down now. If it was really all that "deplorable", society wouldn't be shelling out high-paying jobs for Certified Ethical Hackers and inviting them into the boardroom.
Re:I really wish they quit calling "hackers" (Score:4)
We used to call them script kiddies. Not sure why we stopped because it was a decent label to segregate lucky morons from people who know what they're doing.
That phrase is absolutely still in use, and still refers to people (mostly younger, but not all) using, without any real technical understanding, off-the-shelf tools to locate and target systems with known vulnerabilities. It is not, however, an appropriate label for professional cybercriminals (even though many of them probably started as script kiddies). Crafting a scam like https://www.wired.com/story/bravomovies-fake-streaming-site-bazaloader/ [wired.com] for instance is a great deal more than script kiddie behavior (and you will notice that Wired uses "hacker" in the modern, bad-actor sense here).
Re: (Score:2)
"script kiddie" is a thing. It's not what these guys did. This attack was not, for instance, done by script kiddies. This was social engineering for access followed by possibly a bit of hacking to exfiltrate.
Re: (Score:2)
"script kiddie" is a thing. It's not what these guys did. This attack was not, for instance, done by script kiddies. This was social engineering for access followed by possibly a bit of hacking to exfiltrate.
I'm well aware of that. I was offering a simple clarification, ironically marked Informative. You assumed otherwise. Read my comment again.
Re: (Score:2)
This looks like a successful social engineering hack. What makes you think they were script kiddies as opposed to real hackers?
Re: (Score:2)
This looks like a successful social engineering hack. What makes you think they were script kiddies as opposed to real hackers?
What makes you think I made that mistake based on my feedback?
I was merely explaining a term to the parent that addressed the complaint regarding the overuse of "hackers" when talking about people using low-skill attacks.
You're not the only one who assumed, but still very odd I had to explain that here.
Re: (Score:2)
Even when Script Kiddy was the word du jour we never used it to refer to people who executed social engineering attacks. Don't pretend that this is just some stupid moron running some software. Social engineering takes a bit of skill, just not necessarily "hacking the gibson" kind of skill.
Re: (Score:2)
Even when Script Kiddy was the word du jour we never used it to refer to people who executed social engineering attacks. Don't pretend that this is just some stupid moron running some software. Social engineering takes a bit of skill, just not necessarily "hacking the gibson" kind of skill.
Don't pretend my simple offering of a definition, translates into me not knowing what this attack was. I was merely offering a clarification because "hacker" can be quite over-abused.
And even "hacking the gibson" required a hell of a lot more than scripts (dumpster diving, line taps, and even physical intrusion) C'mon man, even your example is bad. And you're correcting me?
Re: I really wish they quit calling "hackers" (Score:2)
Re: (Score:3)
cracker [wowroms-photos.com] / kracker was someone who hacked and removed copy protected. ...
i.e. This game cracked by
It is a shame it never got accepted. Now we have specify the slightly more verbose "white hat" or "black hat" hackers.
Re: (Score:2)
And we used to call the social engineering part Phreakers, with the hacking part getting into the phone system.
Some explanation (Score:5, Informative)
The summary does not explain clearly the process, neither does the article.
It explains that they bought some cookies online. HTTP is a stateless protocolo, and HTTP cookies are the mechanism employed to maintain session information. Therefore, if you clone a cookie you can impersonate a different user. If I understand correctly, a list of the AE slack servers has been accidentally posted online [vice.com], and they obtained the cookies of the slack server corresponding to an AE developer. In this channel, they alleged that their phone was lost, so they could not get the 2FA code required to log in into the development servers at AE. Another AE member simply helped them log in, and it was all done.
So these hackers did not really hack anything, but used social engineering. The actual hack comes from the guy who originally obtained and sold the cookie. Apparently, there was a known attack to slack using HTTP Request smuggling [hackerone.com] (HTTP Request smuggling is explained here [portswigger.net], for example), but it was corrected in 24h after the notification (kudos to the slack team). Either the cookies were very old (unlikely), or some developer at AE suffered a similar attack recently.
Please correct any error in the previous explanation, since this is what I understood from the article.
Re: (Score:2)
EA should borrow an idea from the military. Compartmentalization.
Re: (Score:2)
Thank you for taking the time to write this up. You did a better job than the article.
Wish I had mod points!
Re: (Score:2)
Social engineering is a form of hacking(or a tool in the toolbox, if you want to pick nits). Getting access is the hack. It doesn't matter how you get access as long as you get access.
Re: (Score:1)
Walk through the front door...burglar.
Re: (Score:3)
In this channel, they alleged that their phone was lost, so they could not get the 2FA code required to log in into the development servers at AE. Another AE member simply helped them log in, and it was all done.
So these hackers did not really hack anything, but used social engineering.
That is often the easiest path to information. People are the weak link, and no matter how careful you are someone always wants to be helpful, and can be cowed if necessary into helping.
Years ago I did a research product for a group of scientists wanting to commercialize an idea. I called up the companies who were the potential competitors and asked a lot of questions to garner insights on where the new product might have an advantage and if they were working on something similar. I had to get past sales
Re: (Score:1)
Social engineering (Score:3)
Re: (Score:1)
Yes, now ask yourself why ONE person had access to so much?
Re: (Score:2)
Re: (Score:2)
Yes, now ask yourself why ONE person had access to so much?
From the sound of it they just helped them login, which is not unusual for TS. Even so, they should have had an alternative way to verify the person is who they say they are. For example, one place I worked at would only leave the password on the phone of record on your account; if you said that didn't work you either had to come in or have it sent to your boss or account approver who is listed on the account. "I can't access that" was not a valid reason to give it out directly; if you can call in you ca
Re: (Score:2)
Social engineering once again shows the biggest security risk is the human with access to the data. How many decades has it been since Mitnick was jailed for demonstrating this?
OnIy's older than that. No need to get the boss to spy, just seduce the right secretary. Often cheaper and easier.
Re: (Score:2)
This is geeks here. Don't get their hopes up.
Re: (Score:2)
Social engineering once again shows the biggest security risk is the human with access to the data. How many decades has it been since Mitnick was jailed for demonstrating this?
You want to read about a real pro @ social engineering check out Frank Abagnle [slashdot.org]
Re: (Score:2)
Breaking news! (Score:5, Funny)
Re: (Score:2)
The hackers have agreed to return the stolen data if EA purchases a series of boxes, each having a chance to get more files back.
"We're not hackers! We're surprise mechanics! [youtube.com]"
Security education at EA is clearly lacking... (Score:3)
... I'm sure that will now be addressed ;)
The company I work for - very large, lots of Ecommerce - is super hot and strict on security education, including social engineering.
We have pretty much mandatory very in-depth security courses on a myriad of subjects and platforms - all counting toward employee improvement schemes and ultimately bonuses.
There's an active ongoing phishing test across the organisation and metrics are tracked for how many people are fooled by them, with follow up emails detailing the stats and explaining these tests. We have a reporting tool - if you spot a suspected phishing attack, click a button to report it. You'll be informed if it was part of a test.
We also do fairly frequent War Games scenarios.
Our network is heavily locked down, which can be a PITA, but everyone knows WHY this is being done.
Sounds like EA need to wake up and make these kinds of changes - yep, they aren't cheap, they aren't easy - but are a damn side better than losing 780gb of data ;)
Re: (Score:3)
Given they ship the same sports titles every year, and would rather peddle gambling to children than produce a legitimate product, I'm thinking very little will change.
Re: (Score:2)
Yep, my former employers was like that. They require everyone to take online courses, take tests, etc. every year or so.
Re: (Score:2)
very interesting, thanks.
Are your courses and tools developed in house, or can you recommend something? I work in a healthcare setting and this is the nightmare combination of Very sexy data and Very tech illterate workforce. Pointing people to informative and useful courses would be really helpful.