Hold onto your Apple ID credentials and don't enter them anywhere unless you're 100 percent certain that a) it's necessary, and b) legitimate. That's today's security lesson, courtesy of a very convincing Apple ID login screen hosted on game publisher Electronic Arts' website that was used to steal credentials.
The first question a user stumbling across the site above should ask themselves is: "Why is EA.com asking me for my Apple ID?"
According to Paul Mutton at security research firm Netcraft, the compromised server was used by two websites in the ea.com domain ordinarily used to host an online calendar.
Hackers appear to have exploited a bug in an outdated WebCalendar 1.2.0 installation from 2008 and used it as an attack vector to install the fake "My Apple ID" page which was used to capture a victim's Apple ID and password. After submitting an Apple ID and password, users then saw a second form which asked them to verify their full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name, plus other details that would be useful to a fraudster. After submitting personal information, the victim was redirected to the legitimate Apple ID website.
Armed with a user's Apple ID, a malicious user can gain access to a treasure trove of personal data that is stored on iCloud, including email, contacts, calendars, and photos. An attacker could even use the credentials to clone an iPhone or iPad by restoring an iCloud backup to a device in their possession. And if you use your icloud.com/mac.com/me.com email for password recovery, it could also compromise any accounts (Google, Twitter, Facebook, etc.) that recover to it.
Wired editor Mat Honan was victim of an epic hack in August 2012 when an attacker compromised his Apple ID and used Find my Phone and Find my Mac to remotely wipe his iPhone, iPad, and MacBook Air.
Aside from using common sense, the best way to protect your Apple ID is by adding two-step verification. This requires that a person needs something in addition to your Apple ID and password (typically a code sent to your phone via SMS) to access your account. More information can be found in the Apple knowledgebase article: Frequently asked questions about two-step verification for Apple ID.
An EA spokesperson told The Verge that the Apple ID phishing page was removed yesterday afternoon, but it's unclear how long it was hosted on ea.com or how many people may have been tricked into entering their information.
How secure is your Apple ID? Have you enabled two-step verification?