EA Games website hacked to phish Apple IDs from users – could it happen to your site too?

A website belonging to video games producer Electronic Arts (EA Games) has been hacked into by criminals, who used it to phish Apple ID usernames and passwords from unsuspecting users.

Fake Apple ID login screen

To the casual observer, the fake webpage created by the hackers (shown above) is pretty hard to distinguish from Apple’s genuine equivalent page (below):

Genuine Apple ID login page

Sign up to our free newsletter.
Security news, advice, and tips.

In all likelihood, these particular attackers sent out spam messages to members of the public, posing as official communications from Apple that directed potential victims via a link to the phishing page on EA’s web server.

Unwary users would enter their Apple ID credentials (which can be used to make online purchases from Apple amongst other things) straight into the hands of cybercriminals.

The discovery was made by internet security firm Netcraft, who described the serious nature of the security breach in a blog post:

The compromised server is hosted within EA’s own network. Compromised internet-visible servers are often used as “stepping stones” to attack internal servers and access data which would otherwise be invisible to the internet, although there is no obvious outward facing evidence to suggest that this has happened.

In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server. The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.

Netcraft said it believed that EA’s website was most likely compromised by hackers exploiting a vulnerability in a web server app called WebCalendar.

To its shame, EA Games appears to have been running an old version of WebCalendar – version 1.2.0 – that contained a number of security vulnerabilities that were patched some time ago. Clearly, no-one at EA considered that it might be a good idea to update the software.

According to WebCalendar’s website, version 1.2.0 of its app was released way back in September 2008. A version designed to fix “some XSS vulnerabilities” was released in April 2010, with users urged to upgrade.

Versions of WebCalendar

The latest version, which is also said to fix a number of security vulnerabilities, was released over a year ago in February 2013.

There really is no excuse for EA’s website to have been exposing its webpages and users to hackers for so long.

Electronic ArtsAnd, of course, it’s not just EA Games who were victims of a criminal act.

Visitors to the insecure website were also running the risk of having unauthorised code which could have been planted by hackers run on their computers, or being tricked by bogus webpages into taking dangerous actions.

This latest incident has made the news because of the big names of EA Games and the Apple IDs which were up for grabs, but the truth is that tens of thousands of legitimate webpages are hacked each and every day, to display spam advertising messages, phish for users’ credentials or spread malware.

If you run a website you must rigorously check that you have applied the latest security updates – not just to the central software (such as WordPress) which may run your website, but also any plugins and third-party tools that your site may rely upon.

If just one of them has a security weakness, it could be enough for hackers to crowbar their way into your server, and allow them to plant malware or phishing pages designed to bring harm to your site’s visitors.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “EA Games website hacked to phish Apple IDs from users – could it happen to your site too?”

  1. Patrick

    All the more reason for end-users to have Two-Factor Authentication enabled on their accounts when possible. Apple has it available to setup. It's no wonder we are losing to the bad guys when multi-million dollar companies fail to keep their software up to date. If the big companies aren't taking the lead, who will?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.