A website belonging to video games producer Electronic Arts (EA Games) has been hacked into by criminals, who used it to phish Apple ID usernames and passwords from unsuspecting users.
To the casual observer, the fake webpage created by the hackers (shown above) is pretty hard to distinguish from Apple’s genuine equivalent page (below):
In all likelihood, these particular attackers sent out spam messages to members of the public, posing as official communications from Apple that directed potential victims via a link to the phishing page on EA’s web server.
Unwary users would enter their Apple ID credentials (which can be used to make online purchases from Apple amongst other things) straight into the hands of cybercriminals.
The discovery was made by internet security firm Netcraft, who described the serious nature of the security breach in a blog post:
The compromised server is hosted within EA’s own network. Compromised internet-visible servers are often used as “stepping stones” to attack internal servers and access data which would otherwise be invisible to the internet, although there is no obvious outward facing evidence to suggest that this has happened.
In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server. The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.
Netcraft said it believed that EA’s website was most likely compromised by hackers exploiting a vulnerability in a web server app called WebCalendar.
To its shame, EA Games appears to have been running an old version of WebCalendar – version 1.2.0 – that contained a number of security vulnerabilities that were patched some time ago. Clearly, no-one at EA considered that it might be a good idea to update the software.
According to WebCalendar’s website, version 1.2.0 of its app was released way back in September 2008. A version designed to fix “some XSS vulnerabilities” was released in April 2010, with users urged to upgrade.
The latest version, which is also said to fix a number of security vulnerabilities, was released over a year ago in February 2013.
There really is no excuse for EA’s website to have been exposing its webpages and users to hackers for so long.
Visitors to the insecure website were also running the risk of having unauthorised code which could have been planted by hackers run on their computers, or being tricked by bogus webpages into taking dangerous actions.
This latest incident has made the news because of the big names of EA Games and the Apple IDs which were up for grabs, but the truth is that tens of thousands of legitimate webpages are hacked each and every day, to display spam advertising messages, phish for users’ credentials or spread malware.
If you run a website you must rigorously check that you have applied the latest security updates – not just to the central software (such as WordPress) which may run your website, but also any plugins and third-party tools that your site may rely upon.
If just one of them has a security weakness, it could be enough for hackers to crowbar their way into your server, and allow them to plant malware or phishing pages designed to bring harm to your site’s visitors.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.