InfoSec News & Investigations

Fake Elder Scrolls Online developers go phishing on PlayStation

A player of popular gaming title Elder Scrolls Online recently took to Reddit to warn users of a phish via Playstation messaging. This particular phishing attempt is notable for ramping up the pressure on recipients—a classic social engineering technique taken to the extreme.

A terms of service violation?

In MMORPG land, the scammers take a theoretically plausible deadline, crunch it into something incredibly short and ludicrous, and go fishing for the catch of the day. Behold the pressure-laden missive from one fake video game developer to a player:

scam text

Click to enlarge

The text of the phishing message reads as follows:

We have noticed some unusual activity involving this account. To be sure you are the rightful owner, we require you to respond to this alert with the following account information so that you may be verified,

– Email address

– Password

_ Date of birth on the account

In response to a violation of these Terms of Service, ZeniMax may issue you a warning, suspend or restrict certain features of the account. We may also immediately terminate any and all accounts that you have established. Temporarily or permanently ban the account, device, and/or machine from accessing, receiving, playing or using all or certain services.

Under the current circumstances, you have 15 minutes from opening this alert to respond with the required information. Failure to do so will result in an immediate account ban, permanently losing access to our servers on all platforms, along with all characters  associated with the account in question. Please be sure to double check your information and spelling before sending.

Yes, you read that correctly—a grand total of 15 whole minutes to panic email scammers back with your login details. But what exactly happened to warrant such an immediate need for verification? The vagueness of the fake message may actually work in the scammer’s favour here because MMORPG titles are often rife with cheating/botting/scamming, so developers are typically light on information when genuine infractions occur.

FOMO: oh no

FOMO, fear of missing out, is the lingering fear that not only have they never had it so good, but the “they” in question almost certainly isn’t you.

Marketers and sales teams exploit this ruthlessly, with sudden sales and the promise of things you can’t do without. Breaking hotel deals on websites can’t help but tell you how many people have the same deal open RIGHT NOW.

Video games, especially online titles and MMORPGs, take a similar approach, offering in-game purchases but rotating items slowly, leading to a form of digital scarcity that encourages transactions because gamers don’t know if the item will be seen again.

Inventory space, character slots, and many more crucial elements are at a premium, and people invest serious money to make the most out of their experience. With this in mind, people tend to be particular about keeping their account secure.

As a result, scammers are hugely effective at turning FOMO on its head, giving people a nasty dose of “fear of something about to happen or else.” Had a spot of bother with ransomware? No sweat, pay us in Bitcoin and you’ll get your documents back—as long as you do it within three days. Fake sextortion email claiming they’ve recorded you watching pornography? Yeah, that’ll be $1,000 in 48 hours or we’ll release the footage and tell all your friends and family.

“It wasn’t me, what did I do?”

You’ll often see people banned  from titles complaining on forums that all access has been revoked, with no explanation why besides a “You are banned, sorry” type message. Quite often they won’t even be able to follow up with support because the ban also locks them out of being able to raise a ticket. 

Scammers know they can skip some of the fake explanation shovel work as nobody ever receives a detailed explanation. This is to obscure the inner workings of fraud detection systems: If they spilled the beans, malicious individuals would adjust their behaviour accordingly. That’s a tricky situation for developers to tightrope walk across, but it is possible in the form of additional security measures. Does Elder Scrolls Online meet the challenge?

Sadly, the game doesn’t allow players to lock down accounts with a third-party authenticator. There’s no mobile app, and there are zero authentication sticks. What they do have is a few password suggestions and some information about their one-time password system.

It’s certainly good that the password system exists, and one would hope it would spring into life in this case, but players would probably appreciate a little more control over their security choices, as well as a few safety nets when things go wrong.

By comparison, the hugely popular Black Desert Online offers Google authenticator two-factor authentication (2FA). Blizzard has you covered with their own authenticator. Guild Wars offers both an authenticator app and SMS lockdowns.

Some simple rules to follow

Regardless of which game you play, remember:

  • Don’t reuse passwords
  • Make the password as strong as the system allows
  • Tie your account to a locked-down email address, ideally also secured with 2FA
  • Never, ever send login details to an email or text message asking for them until you’ve authenticated the message by hovering over the email address and links to see if they are legitimate, Googling to see if there are known scams or phishes associated with the company in question, and reading over the instructions carefully.
  • If you’re still in doubt whether an email is legitimate or not, err on the side of caution and go directly to your account’s website/login page. If there is a need to verify or change credentials, you can change them there.

Phishing is one of the oldest cyberattack methods on the book, yet it remains a favorite of scammers because, quite simply, it works. Don’t be fooled by FOMO, high-pressure deadlines, or too-good-to-be-true deals.

The post Fake Elder Scrolls Online developers go phishing on PlayStation appeared first on Malwarebytes Labs.

Original Source