EA Games website hacked to steal Apple IDs

Diposkan oleh silent aja 10:25 AM Post a Comment

Summary: Hackers took over an Electronic Arts subdomain which they used to host a fake Apple ID login screen designed to steal credit card info.

Hold onto your Apple ID credentials and don't enter them anywhere unless you're 100 percent certain that a) it's necessary, and b) legitimate. That's today's security lesson, courtesy of a very convincing Apple ID login screen hosted on game publisher Electronic Arts' website that was used to steal credentials.

(Screenshot: Netcraft.com)

The first question a user stumbling across the site above should ask themselves is: 'Why is EA.com asking me for my Apple ID?'

According to Paul Mutton at security research firm Netcraft the compromised server was used by two websites in the ea.com domain ordinarily used to host an online calendar.

Hackers appear to have exploited a bug in an outdated WebCalendar 1.2.0 installation from 2008 and used it as an attack vector to install the fake 'My Apple ID' page which was used to capture a victim's Apple ID and password. After submitting their Apple ID and password it presented the user with a second form which asked the victim to verify their full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name, plus other details that would be useful to a fraudster. After submitting their personal information, the victim was redirected to the legitimate Apple ID website.

Armed with a user's Apple ID, a malicious user can gain access to a treasure trove of personal data that is stored on iCloud, including email, contacts, calendars and photos. An attacker could even use the credentials to clone an iPhone or iPad by restoring an iCloud backup to a device in their possession. And if you use your http://ift.tt/ODiDbk email for password recovery, it could also compromise any accounts (Google, Twitter, Facebook, etc.) that recover to it.

Wired editor Mat Honan was victim of an epic hack in August 2012 when an attacker compromised his Apple ID and used Find my Phone and Find my Mac to remotely wipe his iPhone, iPad and his MacBook Air.

In addition to the common sense that I recommended at the beginning of this article, the best way to protect your Apple ID is by adding two-step verification. This requires that a person needs something in addition to your Apple ID and password (typically a code sent to your phone via SMS) to access your account. More information can be found in the Apple knowledgebase article: Frequently asked questions about two-step verification for Apple ID.

An EA spokesperson told The Verge that the Apple ID phishing page was removed afternoon, but it's unclear how long the Apple ID phishing page was hosted on ea.com or how many people may have been tricked into entering their information.

How secure is your Apple ID? Have you enabled two-step verification?