Hackers were able to compromise a server belonging to Electronic Arts Games this week and rig one of its websites to resemble an Apple log-in page to dole out phishing attacks.
U.K.-based security firm Netcraft discovered the hacked site on Tuesday and informed EA, which blocked it on Wednesday.
Researchers with the firm speculate that a vulnerability in an outdated version of the PHP app WebCalendar, which was also being hosted on the same server, was used as an attack vector. That vulnerability allows attackers to modify settings and execute arbitrary code in the 2008 version (1.2.0) of the calendar.
“In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server,” Paul Mutton, a security tester with the firm wrote Wednesday.
From there, the attacker could view the calendar’s contents, its source code and any other data on the server.
The fact that the calendar app was outdated naturally made EA’s system a target.
“The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.”
Victims who stumbled across the site were encouraged to input their Apple ID and password, then their full name, credit card number, its expiration date, verification code, date of birth and so on. Only after entering all their information the victim was then sent to a legitimate Apple website, https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/.
BitSight, a Cambridge, Mass.-based security rating service, claims that EA’s system has faced multiple compromises for up to a year. The service’s CTO purports seeing multiple servers associated with EA under control throughout 2013.
“Likely under the control of an external adversary, these machines were used to communicate with botnet command and control servers, distribute malware, and participate in DDoS attacks,” Stephen Boyer, the firm’s co-founder and CTO said Thursday.
As it is this is the second problem for EA during the past week. Netcraft also acknowledges in its write up that a phishing site aiming to extort users of the company’s Origin platform surfaced online a week ago. That site, while not hosted on an EA server, is still trying to glean EA users’ credentials, including “email addresses, passwords and security question answers.”
While EA has allegedly blocked the Apple phishing site, it’s unclear if it’s aware of the Origin phishing site. Email inquiries to the company were not immediately returned on Thursday.
Additional vulnerabilities in EA’s Origin platform were identified around this time last year as well. Researchers with ReVuln, Luigi Auriemma and Donato Ferrante, published a paper last March in which they discussed how easy it could be to remotely run malicious code on users’ machines through Origin and one of the company’s games, Crysis 3.