EA Games website hacked to steal Apple IDs

EA Games website hacked to steal Apple IDs

Summary: Hackers took over an Electronic Arts subdomain which they used to host a fake Apple ID login screen designed to steal credit card info.

SHARE:
TOPICS: Apple, Security
4

Hold onto your Apple ID credentials and don't enter them anywhere unless you're 100 percent certain that a) it's necessary, and b) legitimate. That's today's security lesson, courtesy of a very convincing Apple ID login screen hosted on game publisher Electronic Arts' website that was used to steal credentials. 

EA Games website hacked to steal Apple IDs - Jason O'Grady
(Screenshot: Netcraft.com)

The first question a user stumbling across the site above should ask themselves is: "Why is EA.com asking me for my Apple ID?"

According to Paul Mutton at security research firm Netcraft, the compromised server was used by two websites in the ea.com domain ordinarily used to host an online calendar. 

Hackers appear to have exploited a bug in an outdated WebCalendar 1.2.0 installation from 2008 and used it as an attack vector to install the fake "My Apple ID" page which was used to capture a victim's Apple ID and password. After submitting an Apple ID and password, users then saw a second form which asked them to verify their full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name, plus other details that would be useful to a fraudster. After submitting personal information, the victim was redirected to the legitimate Apple ID website.

Armed with a user's Apple ID, a malicious user can gain access to a treasure trove of personal data that is stored on iCloud, including email, contacts, calendars, and photos. An attacker could even use the credentials to clone an iPhone or iPad by restoring an iCloud backup to a device in their possession. And if you use your icloud.com/mac.com/me.com email for password recovery, it could also compromise any accounts (Google, Twitter, Facebook, etc.) that recover to it. 

Wired editor Mat Honan was victim of an epic hack in August 2012 when an attacker compromised his Apple ID and used Find my Phone and Find my Mac to remotely wipe his iPhone, iPad, and MacBook Air.

Aside from using common sense, the best way to protect your Apple ID is by adding two-step verification. This requires that a person needs something in addition to your Apple ID and password (typically a code sent to your phone via SMS) to access your account. More information can be found in the Apple knowledgebase article: Frequently asked questions about two-step verification for Apple ID.

An EA spokesperson told The Verge that the Apple ID phishing page was removed yesterday afternoon, but it's unclear how long it was hosted on ea.com or how many people may have been tricked into entering their information. 

How secure is your Apple ID? Have you enabled two-step verification?

 

Topics: Apple, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Your first mistake

    Was to use a windows based machine. Microsoft keeps a copy of your internet cache, including login credentials. Microsoft likes to point the finger at Google, while doing worse.
    I hate trolls also
    • All browsers have cache

      So how is this a Microsoft issue.
      schultzycom
      • Microsoft is known

        To copy it, in a "hidden" location, and transmit it back to Microsoft. Microsoft is famous for complaining about company "A" while doing the same thing. This is done to distract everyone, so no one complains about Microsoft doing worse than they complain about the competition doing.
        I hate trolls also
        • Take off the tin-foil hat.

          The doctor needs to examine your brain.

          Joke aside, what are you talking about?

          As far as I can tell, Microsoft doesn't do what you're talking about.

          If you're going to pull lies out of your rear, at least make them believable.

          Otherwise, you're doing nothing more than spamming FUD.
          ForeverCookie