2K Games, a publisher best known for its sports and online games affiliated with the NBA, PGA and WWE, experienced a breach of its helpdesk system that resulted in malware links being sent to customers. The hacker attempted to pass a info-stealing malware that searches target systems for credentials and authentication tokens, with a particular focus on crypto wallets and financial information that can be used for quick thefts.
The attack was noticed by 2K customers when they began receiving follow-ups to support tickets that they never opened. The hacker posed as a member of the 2K customer service department and linked users to malware they had hosted with a Zendesk account, which was made to look like a launcher program.
Helpdesk system breach is second attack on a Take-Two Interactive company within a week
While it is still unclear if there is any relation between the attacks, the 2K helpdesk system breach is the second attack on a Take-Two Interactive gaming subsidiary within about a week. Rockstar Games also had its internal Slack channel breached recently, leading to a leak of Grand Theft Auto 5 (GTA5) source code and videos of the upcoming GTA6 not meant to be viewed by the public for some time.
2K’s helpdesk system was down for some time as the incident was investigated, but is now back in working order. Customers should be aware of any unsolicited messages from customer service from about September 19 to September 24, particularly those that come from a representative named “Prince K”. These messages have malware attached that is disguised as a file called “2K Launcher” that is about 107MB in size.
The identity of the attacker is not yet known, but the malware was delivered from a command-and-control server that was previously known to the Malwarebytes antimalware service and already on a block list. Attacks on video game publishers have been up during the pandemic period, with hackers seeking everything from stored funds to source code. Source code for very popular games can be quite valuable, selling for millions of dollars at auction on the dark web in previous theft incidents.
Redline malware sniffs out stored credentials on target systems
It remains unknown how many 2k customers were compromised by the bogus helpdesk system messages. Anyone that may have run the malware launcher is advised to change all of their passwords and review any stored authentication tokens immediately, as the Redline malware used in this attack combs through web browser history and other elements of target systems to find these things. Redline is also capable of stealing sensitive personal information for use in future scam and fraud attempts.
The helpdesk system messages that contain the malware look legitimate enough, but can be spotted by the URL that users are directed to at the end. It asks users to download a file from “2ksupport.zendesk.com,” which may look legitimate at a glance but is a rogue account set up by the attacker.