The cybercriminals probably exploited vulnerable software to breach the server

Mar 19, 2014 11:49 GMT  ·  By

Apple phishing scams are not uncommon, but phishing pages hosted on the website of a major company are certainly worth looking at. Experts have found a phishing page hosted on a compromised server belonging to Electronic Arts (EA), the world-renowned American video games company.

Experts from Netcraft report that the attackers have hacked into a server that hosts two websites on the ea.com domain.

The server in question hosts a calendar based on WebCalendar 1.2.0. This is an old version of the software (2008), so it’s full of vulnerabilities that could have been exploited by the hackers. For instance, the attackers could have leveraged CVE-2012-5385, which can be exploited to modify settings and possibly even execute code.

“It is likely that one of these vulnerabilities was used to compromise the server, as the phishing content is located in the same directory as the WebCalendar application,” Netcraft’s Paul Mutton noted in a blog post.

The phishing page is designed to mimic the My Apple ID login page. First, victims are instructed to enter their Apple ID and their password. Then, they’re asked to hand over their name, payment card number, expiration date, CVV, date of birth and other personal information.

Once the information is provided to the cybercriminals, victims are redirected to Apple’s genuine website, most likely in an effort to avoid raising any suspicion.

“The compromised server is hosted within EA's own network. Compromised internet-visible servers are often used as ‘stepping stones’ to attack internal servers and access data which would otherwise be invisible to the internet, although there is no obvious outward facing evidence to suggest that this has happened,” Mutton explained.

“In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server,” he added.

“The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.”

The problem with phishing pages hosted on the web servers of reputable companies is that it’s less likely that they’ll be flagged. Furthermore, some users might be tricked into thinking that the pages are legit considering that they’re on a trusted domain.

In this case, the attackers could have made up a story about a collaboration between EA and Apple and that would have truly made the phish efficient.