To infiltrate EA, cybercriminals bought cookies on the black market

The cybercriminals behind the Electronic Arts data theft have confided in Vice. Their infiltration began with buying information from a company employee for a whopping $ 10.

Rarely, the hackers who infiltrated the video game publisher Electronic Arts to steal 780 GB of data have revealed to Vice how they did it. First, they logged into the Slack account (the company’s mailbox) of one of the employees. Then they managed to convince a manager of EA’s IT department to give them access to the company’s internal network.

To get hold of the Slack account, the cybercriminals made their purchases on Genesis Market, a black market accessible only by invitation, which Cyberwar had visited in November 2020. Genesis only offers one product for sale, the ” bot ”, at a price between a few tens of cents and several tens of euros depending on its content. Each “bot” contains a lot of information about a person, or at least, a computer.

The site has a list of bots for sale, with a lot of information. // Source: Numerama screenshot

The announcements specify the country of the owner of the data, the date of the theft or even the number of identifiers and to which sites they correspond. They also indicate the number of cookies attached to the browser: these are small files that you retrieve while visiting the sites. Some are used for advertising purposes to track the user’s online activities, others allow you to stay connected to a site without having to enter a username and password for each new connection.

But that’s not the worst: the most complete bots allow you to recreate ” browser fingerprint “, Also called the” digital mask “, of the victim. This mask is made up of dozens of information sent by your browser to the sites you have visited. For example, it takes into account the size of your screen, that of your browser window, the time zone you have selected or the type of keyboard (azerty, for example, is rare on a global scale). This combination is very likely to be unique, and will allow certain sites to recognize you.

Precisely, on Genesis, criminals can buy something to recreate your browser identically. Concretely, they will have at the same time the identifiers of the victim, his authentication cookies and a browser completely similar to his: enough to fool the overwhelming majority of security barriers.

An attack launched with 10 dollars

According to Vice, the hackers would have paid 10 dollars for the bot used to infiltrate EA. Interesting detail: on the ads, if it is specified that a bot contains identifiers for Slack or not, it is not specified to which Slack space it allows you to connect. So cybercriminals might just have had a good draw in purchasing their bot – and EA, a stroke of bad luck. On the other hand, the market allows you to filter your bot searches by URL: the criminals were able to buy several bots that contained identifiers for Slack.

The purchase of bot has another advantage for thugs: it allows, most often, to avoid the barrier of double authentication. Since the stolen information allows the victim’s browser to be recreated, most sites will assume that the user (in fact, the thug) is connecting from a known device. Result: they will ask for few or no credentials, especially if the authentication cookie stolen from the victim’s browser is still valid.

Related Articles