2

I recently received emails from my Origin account that my email address and security question had been changed (seems to have been someone in Russia since the new security question was in Russian). This was not my doing so I knew immediately that this was due to my account being compromised. Outside of account recovery, the only question I had left was how this happened and what to do next.

The steps I've take thus far are as follows:

  1. Contacted Origin support to recover my account. I did this approximately 1 hour after I was notified that changes had taken place on the account. 2 factor authentication and a new security question were applied to the account. No charges were confirmed to have taken place.
  2. From the machine in question, I changed passwords for other necessary online accounts. The majority of these accounts also use 2-factor authentication.
  3. Malewarebytes scans were performed and no exploits were found.
  4. From the computer in question, necessary files from my Documents folder and Downloads folder were backed up to a NAS.
  5. From the computer in question, necessary drivers were placed on a usb drive.
  6. Windows 10 was re-installed on the same disk after a format was performed using the install media from Microsoft.

My concerns are the following:

  • Is it likely that whatever exploit was used to compromise my Origin account migrated silently to my NAS
  • Could this exploit have migrated silently to my usb drive
  • Could my password changes have been all for not since they were done from the machine in question?
  • Are their any further steps I should take or any retracing of steps necessary due to what steps I've take already.

Edit: clarified #2 in that I was the one to change those passwords and not an attacker

UPDATE: I received a curious text message today. Here is a picture of it: strange text message

It seems 2-factor authentication has stopped whoever got their hands on my account. I would wager any service should consider 2-factor implementations at this point.

Mike
  • 23
  • 3
  • 1
    The attacker may have attacked the site directly without compromising your machine also. (just a side note) – Tensibai Jul 21 '17 at 15:43
  • 1
    @Tensibai I had considered this a possibility but figured measures to mitigate local compromises should still be followed. I suppose it could have also been an attack via WiFi as well. – Mike Jul 21 '17 at 15:45
  • 1
    without knowing *how* the account was compromised, I'm not sure that making recommendations about how to secure your machine makes sense – schroeder Jul 21 '17 at 16:27
  • It might be helpful to look at the event log on your computer to see if you see anything unusual that you can trace to the attack, but if you already re-installed, you probably don't have that data to look at. – Jonathan Jul 21 '17 at 17:05
  • @Jonathan Good to note for the future. Is there perhaps a resource I can reference to gain some knowledge on what to look for and perhaps where to look for it? – Mike Jul 21 '17 at 17:27
  • I would suggest (if it is a Windows computer) click on the Windows icon in the bottom left corner, and type in event viewer. Have a look and see if you see anything in the dashboard that looks suspicious (e.g. failed security audits), and check around the time (and somewhat before) that the issue was noticed. If you already re-installed the computer, it won't help though. – Jonathan Jul 21 '17 at 17:30
  • In my opinion, you have already taken prudent measures. I would make sure you use an antivirus scanner which you did, and keep your system software up to date (e.g. set it to auto update, and don't ignore updates). – Jonathan Jul 21 '17 at 17:33
  • @Jonathan Thanks for the information. I'll be sure to check with the new installation periodically to see if I notice anything. – Mike Jul 21 '17 at 17:34
  • 1
    Did you use the same password for Origin as you did anywhere else on the internet? It might be that a site you used in the past with the same password got hacked and had its username+password list leaked, and an attacker was trying out usernames and passwords from that list on Origin and found yours worked. Make sure to use different passwords for different places to prevent this kind of thing, and change your password anywhere that you used the same one as on Origin. – Macil Jul 22 '17 at 00:34

1 Answers1

5

Not every case of fraud is the result of some crazy nation-state sponsored rootkit worming its way through your network.

First, consider the target. It's an online gaming account, existing independently of your own computer(s).

  • Have you clicked on any phishing emails lately? Let's assume not.
  • Have you installed any third-party mods for your EA games?
  • Have you participated in any third-party exchanges unaffiliated with EA, that requires sharing your EA credentials (i.e. anything like tf2outpost)
  • Did you have 2FA enabled in the first place? I'm guessing not.
  • Do you share passwords across third-party accounts? Is there some other account you've ever used, ever, that used the same email + password combination?
  • Could he have exploited the password reset mechanism? EA sends a password reset email to the email address on file in the case of a lost password. He would have had to have access to your email account to intercept it. Gmail in particular will give you an access history (look at the very bottom of your inbox) to see what IPs have logged in, but you might want to follow remediation procedure on this one (and it sounds like you already did).
  • Could it have been malware? Possibly, but...

Unless he did compromise your email too, it seems to me like he already knew your password. If you had a keylogger or malware on your machine, you likely would have seen other IoCs by now. AV (though not bulletproof against APTs, who have bigger concerns than your online games) also found nothing. So...

Typically anybody after gaming accounts is looking to bust out by stealing digital content (any tradeable loot or currency), playing your games for free for as long as they can (South America is really bad about this due to high tariffs on gaming) or testing/using hacking tools with other peoples' accounts to avoid bans.

Ask yourself truthfully how easy to guess your original password was and/or what steps you might have taken to accidentally provide it to a third party. Not saying it's the case here, but sometimes the simplest solution is the most likely one.

If you answered no to all of my questions and you're still uncomfortable with it, do go ahead and wipe the computer. It's inconvenient, but it's what you'd end up doing anyway if you did have concrete proof of infection.

Ivan
  • 6,288
  • 3
  • 18
  • 22