The Smell of Molten Projects in the Morning

Ed Nisley's Blog: Shop notes, electronics, firmware, machinery, 3D printing, laser cuttery, and curiosities. Contents: 100% human thinking, 0% AI slop.

Busted For What I’ll Never Know

An email from Electronic Arts arrived in an email account I haven’t used in over a decade:

Welcome to your EA Account!
Your EA Account serves as an all-access pass to everything EA, from websites and mobile apps to console and PC games.

Seconds later:

Your EA Security Code:
<<< redacted, not that it matters >>>
If you didn’t request this code, please go to your My Account page and change your password right away. For assistance, please contact EA Help.

Thanks for helping us maintain your account’s security.

Not ever having had an EA account nor being in the process of signing up for one, I did nothing.

After a few more seconds:

Dear EA Insider,

Thanks for signing up. We’re looking forward to bringing you the latest news and information on your favorite games.

All the emails look to be genuinely from Electronics Arts, not scam emails routed through the usual sketchy / compromised servers.

Four days later:

Dear Customer,

We are contacting you regarding your EA account.

We wish to notify you that we have found your account to be in violation of our User Agreement or our Terms of Sale, and due to the nature of this violation we are left with no option other than to permanently close your account with immediate effect.

Which looks much more impressive in email HTML:

EA Account Closing
EA Account Closing

Although I did not respond to the Security Code message, the scammer surely used a phone number under his (it’s always a he) control, because “2FA” really means “pick an authentication method that lets you in”.

Just for the amusement value, I fed that email address into the EA sign-in page, hit the “Forgot my password” button, and got a Security Code just like the scammer didn’t. I suppose I could change the password and discover / change the phone number, but that would put me in full ownership of an account used for nefarious purpose.

I sometimes wonder what else happens using my identity.

A good prosecutor could nail me for Third Party Retro-associative Complicity and, if I didn’t already live in Poughkeepsie, send me up the river.

This likely came from the old Thingiverse compromise, although that address also appears in the recent dump of a thousand dumps.

Comments

One response to “Busted For What I’ll Never Know”

  1. RCPete Avatar
    RCPete

    Gee, and I just get emails, supposedly from my ISP telling me to log in via the handy link to avoid dire, I say DIRE!!, consequences if I ignore. The routing information on the email is usually amusing, and I notice that the links (usually a few, for supposedly different purposes) always go to the same location. And most of the time, it’s a Google-hosted site.

    OTOH, they’ve been slacking off lately. I wonder if they’re waiting until the school year approaches when people might pay attention to email accounts ignored over the summer.