According to a forensic analysis from Netcraft, the compromised server is used by two websites in the ea.com domain, and is ordinarily used to host a calendar based on WebCalendar 1.2.0. This version was released in September 2008 and contains several security vulnerabilities that have been addressed in subsequent releases.
“For example, CVE-2012-5385 details a vulnerability which allows an unauthenticated attacker to modify settings and possibly execute arbitrary code” Paul Mutton, a researcher at Netcraft, noted in a blog.
“It is likely that one of these vulnerabilities was used to compromise the server, as the phishing content is located in the same directory as the WebCalendar application.”
Netcraft, which noted that it has alerted EA to the problem, said that the phishing site attempts to trick a victim into submitting his or her Apple ID and password. It then presents a second form that asks the victim to verify full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name, plus other details that would be useful to a fraudster. After submitting these details, the victim could be none the wiser, because they are then redirected to the legitimate Apple ID website.
“Compromised internet-visible servers are often used as ‘stepping stones’ to attack internal servers and access data which would otherwise be invisible to the internet, although there is no obvious outward facing evidence to suggest that this has happened,” said Mutton. However, “the hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server.”
EA has yet to release a statement on the issue, but at least one researcher sees it as something other than a direct attack.
“It’s true that gaming companies have been targeted in the past, primarily due to their high profile and large number of online users,” said Dwayne Melancon, CTO Tripwire, in an email to Infosecurity. “That said, this attack doesn’t seem to be a direct attack against Electronic Arts – it appears that EA was running a vulnerable server that enabled the attackers to set up a fake Apple site to harvest user information, rather than mimicking an EA site. That approach means that it is likely that this attack could gather information far beyond EA’s customer base – essentially, anyone with an Apple ID could be susceptible to information harvesting.”
The issue brings up the necessity of timely patching, he added. “We regularly see attackers take advantage of neglected, abandoned or unpatched applications running on company infrastructure," Melacon said. "This is interesting in that it is a problem that we know how to solve but enterprises just aren’t taking the necessary precautions. As part of their security programs, enterprises must ensure that they are aware of what applications – especially internet-facing applications – are running on their infrastructure, and what vulnerabilities exist for those applications. Scanning for the existence and status of these applications is essential in making informed decisions about how to prevent this kind of attack."
As a separate concern, EA Games is also the lure for a different set of phishing attacks that try to steal email addresses, passwords and security question answers from users of its Origin digital distribution platform, Mutton said.