March 20th 2014
Visitors to Electronic Arts' website yesterday were greeted with a fake login screen on ea.com requiring them to enter their Apple ID. One of EA's servers had been hacked and a vulnerability exploited by cybercriminals.
Security research firm Netcraft says that the compromised server was used by two websites in the ea.com domain ordinarily used to host an online calendar.
After submitting their Apple ID and password, users were presented with another form requesting their full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name and other details – all of which could be used to commit fraud. After these details were submitted, victims were redirected to the authentic Apple ID website. The implications to victims are that the hackers can access a mass of personal data stored on iCloud, including email, contacts, calendars and photos. The credentials could also be used to clone an iOS device (iPhone, iPad or iPod) by restoring an iCloud backup to a device in their possession. Google, Twitter, Facebook and other accounts used for password recovery could also be compromised.
Our advice is to be sure not to enter your Apple ID credentials anywhere than on Apple's own websites, app store, iCloud etc. If you did enter your details, change your login details immediately and contact Action Fraud on 0300 123 2040 or use their online fraud reporting tool.
In a news item on CNET's website, US freelance journalist Dara Kerr also recommends: " … protect your Apple ID by adding two-step verification. This requires that a person needs something in addition to your Apple ID and password (typically a code sent to your phone via SMS) to access your account. More information can be found in the Apple knowledgebase article: Frequently asked questions about two-step verification for Apple ID."
According to EA, the Apple ID phishing page was removed yesterday afternoon, but it is not known how many unsuspecting users were victimised.