Editorial: How FIFA 12 is at the heart of an Xbox Live money laundering scam, part one

On December 20, my Xbox Live account was hacked. The breach was sophisticated, more so than Microsoft wants to acknowledge, but at the heart of it is EA's popular sports franchise FIFA.

On December 20, my Xbox Live account was hacked. The breach was sophisticated, more so than Microsoft wants to acknowledge, but at the heart of it is EA's popular sports franchise FIFA. This breach isn't a new, hip hack that is sweeping the net, it has been happening for quite some time. My Xbox Live account housed over 3,000 MS Points and in one fell swoop, my balance was wiped clean. Utilizing FIFA 12, players can purchase and trade digital cards with other Live members. Though this feature is also available in games like Madden NFL 12, the worldwide popularity of FIFA 12 has made it a breeding ground for criminal scum. Players get into Xbox Live accounts, purchase card packs, trade them to other accounts, and later sell the content for real money. Xbox Live breaches are not new, but the FIFA 12 hack is putting everyone on Xbox Live at risk in a new way. These content packs have a monetary value attached to them, giving hackers a new reason to hunt for accounts. Hackers can jump into an account, run a balance, sell the content, and jump out. In some cases, they take an account over. Why this didn't happen to me is because my account doesn't have a valid credit card associated with it. When I first discovered an issue with my account, I took it to Twitter. It was Shacknews editorial director Garnett Lee who first tipped me to the FIFA 12 hack. "Check your Xbox Live account, see if FIFA is in your recent played games." Not only does FIFA 12 appear on my list--a game I have never played--I have two achievements in the game. Both achievements are associated with FIFA's 'Ultimate Team' feature, which the digital card packs are linked to.

I got hacked on Xbox Live and all I got were some achievement points and a headache.

"In looking at your account I can see that the attacker came in already knowing the password," Xbox Live Director of Policy and Enforcement Stephen Toulouse told me. According to Toulouse, in an interview with Giant Bomb's Patrick Klepek, there are three core ways an attacker can learn your password: phishing scams, social engineering, and using the same password for multiple accounts. In my case, Toulouse says phishing was most likely the culprit. "Phishing comes in a lot of different flavors. Some people think ‘Well, gosh, I didn’t type my password into a website,’ but if you’ve visited a website that had a banner ad, for instance, that exploited an exploit on your machine, there could be malware on the system, and that could result in your password being captured," he told Giant Bomb. The other, more traditional phishing scam comes from people posing as someone else or creating fake landing pages to catch your account information. Since the email account is not one I use on a regular basis and, because I'm very familiar with the practice of email scams, this seems like the least likely of the three. Upon his recommendation, I checked all of my computers for malware that could capture my email and all three systems were clean. Though I use a similar style of password for multiple accounts, I do not use the same password for more than one account. Again, however, this email is not an address I have linked to other accounts, so this seems unlikely. Social engineering in this sense, for those of you unfamiliar with hacker Kevin Mitnick, is the practice of convincing others to share information with you that should not be shared. An email address associated with an account or a password, for example. To me, this seems the more likely of the three, but there's no way for me to know for sure. "To be clear I'm not saying anything was your fault here, I'm saying someone already had your password. And while we're constantly thinking about security and working to evolve it, we've seen no indication in these types of attacks that any information breach has occurred on Xbox Live," Toulouse told me. [Update] EA representatives have responded prior to this article being published. The company says it is working on the situation. A detailed response from both EA and Microsoft will be published tomorrow.

An email I received, thanking me for playing FIFA 12... insult to injury!

A number of friends at Microsoft told me they were willing to fix the issue for me in no time. Some readers contacted me, letting me know that they had been waiting 25+ days to have their Xbox Live profiles reactivated after reporting similar issues. I asked Microsoft not to give my account preferential treatment, there's no reason why my account should be investigated faster than others. "In regards to the time it takes to recover I see that you already recovered your account and are in control. That's not uncommon. Therefore it's a matter of refunding the points purchases. In many cases that just takes a couple days or so." Toulouse told me. Where account recoveries take more time, he says, is when an attacker changes account details like the password, region, changes personal information, buys associated licenses in different regions, disrupts friends lists, and more. "Add to that the fact that on a constant basis the attackers are calling into us, pretending to be compromised so they can see how our processes work. That's not to say we shouldn't work harder to get people up and running in a shorter time, it's just a lot more complex than people realize." So, if FIFA 12 is at the heart of this particular attack, why does Microsoft allow features like this to exist? "We do work closely with the anti-fraud teams of publishers who enable content like FIFA in their games. It's a constantly evolving threat landscape." In this regard, this attack is extremely sophisticated. Attackers have found a wedge between two corporate entities, where Microsoft avoids placing blame on EA's game feature, while EA can simply say it's Microsoft's system that is seeing issues. Additionally, the same problems do not appear to be occurring on PlayStation 3, where FIFA 12 is also available. The attackers are using FIFA 12 and Xbox Live to launder money. "In regards to license transactions I'm sure you can understand I cannot discuss that, but suffice to say both sides work together to help ensure the attackers do not profit," Toulouse said.

Some of the charges linked to my account during this scam, bleeding my MS Points dry.

According to Toulouse, there is more that attackers can do in order to slow the process; however, sharing details to the press can benefit the attackers, themselves. "As much as you, and even I, would like for us to be more detailed, everything I might say that provides clarity into what takes longer would get used to harm customers. If i say recovering an account takes longer because of x, y, and z, then xyz becomes exactly what every attacker does. As much as I have already said in regards to what makes it take longer, there is much I have not said." This, is only the core problem. Tomorrow we detail the problem solvers, namely EA and Microsoft attempting to fix this issue.

Xav de Matos was previously a games journalist creating content at Shacknews.

From The Chatty
  • reply
    December 28, 2011 8:00 PM

    Xav de Matos posted a new article, Editorial: How FIFA 12 is at the heart of an Xbox Live money laundering scam.

    On December 20, my Xbox Live account was hacked. The breach was sophisticated, more so than Microsoft wants to acknowledge, but at the heart of it is EA's popular sports franchise FIFA.

    • reply
      December 28, 2011 8:05 PM

      They're so full of fucking shit. Reading what Stephen Toulouse (who in all respects sounds likes a nice guy) spouts in typical PR crap makes me really fucking pissed off. They through veiled PR speak essentially blame the victim. They say its not effecting that many people, but they said that about the whole Red Ring Hardware fiasco.

      • zig legacy 10 years legacy 20 years
        December 28, 2011 8:20 PM

        I still fail to see how it is not the victim's fault. Yeah, Microsoft could and should have additional account security options to make it more difficult for scammers to use an account that does not belong to them, but ultimately the user has to take some responsibility for allowing their information to be compromised. It's not like they're hacking into a Microsoft database and stealing user info; users are being individually targeted by scammers.

        • reply
          December 28, 2011 8:22 PM

          The veiled language I'm pointing at is the fact that they skirt the fact that their customer service is awful. Should customers be more responsible? Yes. But the implication is always kind of just "Hey man, they probably got phished so they're noobs anyways." *IT PROFESSIONAL VOICE*

          But if you've read much about these issues it doesn't take 25 days to recover an account. I'm seeing lots of people over 70 or 80 days to get an account back. That isn't acceptable. The fact is your Gamertag is tied up with too much that when you're locked out it really makes using your xbox nigh impossible. YEAH I SAID NIGH!

          • reply
            December 28, 2011 8:25 PM

            P.S. It took me 108 days to get my account back. And that was after about 75 days of jack shit. Only after I complained to the BBB did shit get done.

          • reply
            December 28, 2011 8:31 PM

            One of the first rules of PR is "never publicly admit defeat". Sony followed this rule to its very end, after their bluff was called, where it was revealed that they botched an encryption algorithm by not changing the value of a number that said "make this a changing random number" in the encryption algorithm spec. It took a long time, but they finally released a firmware version that fixed that.

            Much like Toulouse isn't going to disclose what steps make it harder to recover accounts, he's also not going to reveal weaknesses in the XBox Live support process. This is why the users need to tell their stories, and tell them in an honest fashion, even if Microsoft wants to squelch them, or if news outlets want to do the squelching for Microsoft.

            These are first-generation online console network platforms that are being stretched to their limits. EA aggressively monetized XBox Live, and it's proving to be a lucrative target for thieves to go steal accounts, drain the MS points balance, and cash out.

            • reply
              December 28, 2011 8:35 PM

              I know the game they and what Toulouse says makes sense. He works for the goddamn company. But that doesn't make me less angry. And their lying is getting more transparent. OH HEY WEIRD XAV GOT HIS ACCOUNT HACKED AND YEAH ITS FIXED IN A DAY. WEIRD! IT JUST HAPPENS SOMETIMES! LOL.


              • reply
                December 28, 2011 8:57 PM

                My situation was vastly different from yours.

                My account never left my control. Yours was moved to a new region.

                I'll detail this more in tomorrow's piece continuing this conversation.

        • reply
          December 29, 2011 3:55 AM

          no you are wrong here, the thing is that with live if you attach you debit/credit card to your account ( which is not only common, almost mandatory as they made you run trough barbedwire and feces to remove it once you used it on live), there was absolutely no additional security when using it on Live, none.
          Not even a small pin code (as lets say app store), if anyone could have access to your account for any reason, no matter the strength of the password, they would also have access to your credit card without any hindrance what so ever.

          This is where they have it wrong, nowhere else is it accepted that the store (or whatever) keep your credit card details and never ever let you verify when you use it, nowhere. Its just bafflingly stupid and mindbogglingly idiotic.

          Add this the system of 'recovering' your profile to any other xbox and the possibility of *one-way* migration to another country without verification. hello ?

          You can perhaps fault people for having a less secure password for a on-line gaming service, yes they should know better, but the magnitude of the damage is completely up to microsoft, there is absolutely no way that the amount of suffering you have to go through is correlated to the only fault the user *maybe* has done is to use the same password on another site and/or an to simple password.

          Once you are an customer to a company you have an two-way trust, in this specific issue I think Microsoft is completely dropping the ball and let the user take *all* of the downfall.

      • reply
        December 29, 2011 6:24 AM

        Maybe you mistake being professional and responsible as PR speak. There are real and valid reasons why they are deliberately vague in some of their responses. Some of them were pointed out in the article.

    • reply
      December 28, 2011 8:18 PM

      I would not be surprised if, in a few weeks, Microsoft had to disclose that they were hacked. Lots of companies got hacked this year; even Valve got hacked, as well as Sony and a bunch of other companies:

      Trion Worlds (Rift): http://www.shacknews.com/article/71706/rift-hacked-user-information-stolen
      Square Enix: http://www.shacknews.com/article/71561/square-enix-members-hacked-personal-information-potentially-compromised
      Bethesda: http://www.shacknews.com/article/68887/bethesda-servers-hacked-accounts-may
      BioWare: http://www.shacknews.com/article/69044/bioware-hacked-ea-information-compromised
      EA (Battlefield Heroes): http://www.shacknews.com/article/69065/battlefield-heroes-hacked-lulzsec-disbands
      Sega (Sega Pass): http://www.shacknews.com/article/68953/sega-pass-hacked-users-warned

      Seriously, if the account wasn't compromised by social engineering, phishing, malware, or password sharing with weaker services, hacking still remains a possibility. It hasn't been announced that it happened yet, but Valve's Steam database got hacked through their forum database server.

      • reply
        December 28, 2011 9:07 PM

        There is no question microsoft was hacked. My password for windows live was crazy complicated, and it wasn't used on any other website, yet it was hacked. I kow it wasn't social engineering either.

      • reply
        December 29, 2011 5:19 AM

        Even Valve? Seems like they're always getting hacked.

      • reply
        December 29, 2011 5:56 AM


    • reply
      December 28, 2011 8:22 PM

      Yeah, apparently my account has been hacked as well - I'm not sure if it's related to the Stratfor thing or not since it apparently started on the 21st, whereas the Stratfor info wasn't posted until the 24th.

      • reply
        December 28, 2011 8:23 PM

        And yep, they did the FIFA 12 thing. The best part is I've changed my account password and did the 'Profile Protection' thing that supposedly requires the profile to be redownloaded and the password reentered before you can log on again, but neither of those things have happened.

        It's a bunch of hairy bullshit.

    • reply
      December 28, 2011 8:29 PM

      Glad you have your account back though.

    • reply
      December 28, 2011 8:39 PM

      Thank you for not taking special treatment friend. That's fucking horse shit and in my eyes a hush hush tactic. You get special treatment so you don't hit the 50+ day mark that so many others have made it to. I'm 1 week down since I opened the ticket and I'm in control of my account. I've seen people up to 60 days now in control of their account but the investigation is still on-going just for a refund. So I guess I'll just wait and see how long this takes. But it's pathetic that they offer a quick process to you video game article writers...wonder why /sarcasm

    • reply
      December 28, 2011 8:50 PM

      That reminds me I need to call Xbox and get them to remove my card from my account. I'm on a 12 month time card yet they won't let me remove my debit online because of "auto-renewal" which I have switched off. You can join xbox live but you can never leave.

    • reply
      December 28, 2011 8:52 PM

      An earlier version of this article was published accidentally. EA has responded prior to this article going live and is looking into the situation. A detailed conversation with EA and Microsoft will be published tomorrow regarding the investigation into FIFA 12 and potential security issues on Xbox Live.

      • reply
        December 28, 2011 8:53 PM

        Was wondering why the thread was nuked.

        • reply
          December 28, 2011 8:56 PM

          It was a publishing error on my part.

          • reply
            December 28, 2011 9:03 PM

            They got to you too, didn't they!?!?!?

            • reply
              December 28, 2011 9:06 PM

              He got squelched

              • reply
                December 28, 2011 9:07 PM

                I'm expecting a video to emerge tomorrow where Xav looks straight at the camera and says, "They are treating me well. They wish for all gamers to have a good time. It is the bad guys fault. I love you all."

      • reply
        December 29, 2011 1:33 AM

        soo.. this is another ea cockup like ea's dlc functionality with steam versions of their games? I believe a few shackers still can't play some fairly recent dlc for some game (crysis 2 wasn't it?).

        • reply
          December 29, 2011 1:38 AM

          annnd, this is what I get for not reading the article first. Shame on me and I'll blame it being so early in the morning.

    • reply
      December 29, 2011 1:48 AM

      So how exactly was the theft of your XBL account sophisticated, let alone "more sophisticated than Microsoft wants to acknowledge?" According to the article all you know is that someone, somewhere, somehow knew your password. Scandalous! Is the implication that they were hacked?

      • reply
        December 29, 2011 4:28 AM

        If the reports of people with ridiculously complex passwords only used for one purpose getting hacked is true, then thats a real possibility.

        I had a complex one-time password (generated by and stored in keepass) for my windows live account, yet my email was hacked. You shouldn't be able to brute force a web service, so what is going on?

        Also there needs to be two-factor authentication.

        • reply
          December 29, 2011 7:19 AM

          I've read that someone has figured out how to modify a 360 to authenticate with Microsoft or EA servers without a password. If true, the servers are relying on the 360 unit itself to say the user is valid for relogins.

      • reply
        December 29, 2011 5:23 AM

        The situation is what I'm saying is sophisticated. Specifically, the use of a game to launder money out of the system using a tradable piece of content... something Microsoft has never had to deal with before.

        Thanks for commenting!

        • reply
          December 29, 2011 5:57 AM

          I'm concerned about whether EA will ackowledge that the situation with the FIFA Ultimate Team trading card feature. EA has been making a push to become a more online-centric publisher, and their means to that end have been a bit abrasive to consumers (Online Pass, mandatory EA.com logins, heavy DLC promotions), but the biggest problem with FIFA Ultimate Team is that it effectively monetized the theft of Live accounts with an MS Points balance, which is something you don't want to ever do.

          Let's see what they say in their statement today.

    • reply
      December 29, 2011 5:34 AM

      This article is the closest thing to real gaming journalism that I can remember reading in a while. I think I just peed a little.

      You rock, Xav.

    • reply
      December 29, 2011 7:00 AM

      Please Post this article. I hope its something other then socially engineering some people need to eat their own words saying those of us who were compromised just gave our information away.

    • reply
      December 29, 2011 8:40 AM

      I had some issues in NHL 12 with 3 packs not opening but my credits being used.... so with this whole debacle happening EA wont do anything about MY issue yet since they have bigger problems to wory about... Thanks EA.... way to take care of your global community...

    • reply
      December 30, 2011 9:54 AM

      They say that if you recover the account yourself so it's "only a refund claim" it only takes a few day is bullshit. I reclaimed my account within hours of it happening and called support, it still took almost two months to get refunded (as in, getting the confirmation they were going to refund me, another week or two before the funds were back in my account).

    • reply
      January 1, 2012 9:40 PM

      Sorry, "StepTo" is full of shit.

      My account never left my control, and it took 30 days to get it back. The retards on the phone made it clear there had to be an investigation because the hackers spent money and bought points. Instead of investigating while I could use my account, they gave me a 30 day gold card and told me to make a new account to use in the interim. Yeah, thanks a bunch for that assholes, that works really well with the system you've set up for saved games and DLC.

Hello, Meet Lola