American video game publisher 2K has confirmed that its help desk platform was hacked and used to target customers with fake support tickets pushing malware via embedded links. “Earlier today, we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers,” 2K’s support account tweeted on Tuesday after reporters broke the story on the security breach. “The unauthorized party sent a communication to certain players containing a malicious link. Please do not open any emails or click on any links that you receive from the 2K Games support account.” The company said it would issue a notice to let players know when it will be safe to start interacting with its support staff again. “We will issue a notice when you can resume interacting with official 2K help desk emails, and we will also follow-up with additional information as to how you can best protect yourself against any malicious activity,” 2K said.
At the beginning of the incident, 2K customers started receiving emails saying they opened support tickets on 2ksupport.zendesk[.]com, 2K’s online support ticketing system. While the users confirmed these tickets were accessible via 2K’s help desk portal, numerous recipients stated on Twitter and Reddit that they were not the ones who opened these support tickets. Soon after the tickets were opened, they also received another email in reply to the original ticket from an alleged 2K support representative named ‘Prince K’. These emails included links to download a file named ‘2K Launcher.zip’ from 2ksupport.zendesk.com. As reporters found, the archive contained an executable that is the RedLine information-stealing malware, according to VirusTotal and Any.Run scans. RedLine Stealer is an info-stealer malware that threat actors use to steal a wide range of data after infecting one’s system, including web browser history, cookies, saved browser passwords, credit cards, VPN credentials, instant messaging content, cryptocurrency wallets, and more. While 2K is yet to provide any information on this, it’s unclear if the attack on its support system is linked to the Rockstar Games hack over the weekend, but the timing is suspicious. Both companies are subsidiaries of Take-Two Interactive, one of the largest video game publishers across the Americas and Europe. The threat actor behind the Rockstar Games breach has also claimed the recent Uber hack, which was believed to be orchestrated by a hacker affiliated with the Lapsus$ extortion group. 2K is the publisher behind numerous popular game franchises, including NBA 2K, Borderlands, WWE 2K, PGA Tour 2K, Bioshock, Civilization, and Xcom.
The company advised those who might have clicked one of the malicious links sent by the attackers to take steps to mitigate the potential impact immediately:
• Reset any user account passwords stored in the web browser (e.g., Chrome AutoFill)
• Enable multi-factor authentication (MFA) whenever available, especially on personal email, banking, and phone or Internet provider accounts. If possible, avoid using MFA that relies on text message verification – using an authenticator app would be the most secure method
• Install and run a reputable anti-virus program
• Check account settings to see if any forwarding rules have been added or changed on personal email accounts