2K Games has Game Support Infrastructure Hacked

In an article published by Bleeping Computer, the cyber security news platform repealed that video games publisher 2K had their gaming support system hacked to spread malware to gamers. This follows news that Steam users were being targeted by unique Browser-in-the-Browser attacks looking to phish online credentials. Gamers across the globe need to be aware that they are now favored targets for specific financially motivated hackers and known threat actor groups.

American games publisher 2K is perhaps best known for being the publisher behind NBA 2K, Borderlands, WWE 2K, PGA Tour 2K, Bioshock, Civilization, and Xcom.

2k games support breached red line stealer

On September 20, some of the publisher's customer base began receiving emails stating that they opened support tickets on 2ksupport.zendesk.com, 2K's online support ticketing system.

Some receivers of the emails confirmed that they had indeed opened support tickets with the service while others confirmed via Twitter and Reddit that they had not opened tickets they were now receiving emails for.

Once the support ticket confirmation was sent recipients soon received another email alleging to be from a 2K support representative going by “Prince K.”

The follow-up email contained an attachment titled “2K Launcher.zip” along with the body text of “Thank you for reaching out to 2K Support! The download for the new 2K games launcher can be found below,”.

The email and subsequent attachment were discovered to have come from 2ksupport.zendesk.com, an email server controlled by 2K, and not from a suspicious server possibly linked to known threat actors.

This led security researchers to believe that 2K network infrastructure had been compromised to distribute malware to the company's customers.

Looking at the attached file for a moment. The executable stored in the .zip file is 107 MB and a quick look at the file's properties will reveal that it has not been created by 2K. The files certificate is registered to “Plumy” while the file description is given as “5K Player.”

The executable is the fact the RedLine Stealer malware which can be purchased from underground hacking forums for a few hundred dollars.

The stealer module of the malware is capable of stealing browser history, browser cookies, saved browser passwords, credit cards, VPN passwords, instant messaging content, system information, and cryptocurrency wallets.

Bleeping Computer reached out to 2K for comment and the company stated,

“Earlier today, we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers…The unauthorized party sent a communication to certain players containing a malicious link. Please do not open any emails or click on any links that you receive from the 2K Games support account.”

The company further provided the following steps to assist those who may have been impacted by the attack:

  • Reset any user account passwords stored in your web browser (e.g., Chrome AutoFill)
  • Enable multi-factor authentication (MFA) whenever available, especially on personal email, banking, and phone or Internet provider accounts. If possible, avoid using MFA that relies on text message verification - using an authenticator app would be the most secure method
  • Install and run a reputable anti-virus program
  • Check your account settings to see if any forwarding rules have been added or changed on your personal email accounts

More Bad News for Gamers

Over the weekend of September 17, RockStar Games was impacted by a major data breach. Speaking to Bleeping Computer, the company stated,

“We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto. At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects. We are extremely disappointed to have any details of our next game shared with you all in this way. Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations. We will update everyone again soon and, of course, will properly introduce you to this next game when it is ready. We want to thank everyone for their ongoing support through this situation.”

A threat actor believed to be behind recent attacks on Uber and MIcrosoft, affiliated with the LapSus$ extortion group, is believed to be behind the attack.

RockStar Games is a subsidiary of Take Two Entertainment which also counts 2K as a subsidiary. However, at the moment there is no evidence to suggest that the attacks on 2K and RockStar Games are linked, other than the suspicious timing of the attacks being less than a week apart can only be regarded as suspicious.

The attacks on both 2K and RockStar show the continued difficulty large companies have when looking to secure their infrastructure.

It is often not only their infrastructure but third-party software packages and hardware that can prove to be the method hackers gain access to sensitive data or operations.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal