Security firms demonstrate subdomain hijack exploit vs. EA/Origin

Israeli security firms Check Point and CyberInt partnered up this week to find, exploit, and demonstrate a nasty security flaw that allows attackers to hijack player accounts in EA/Origin's online games. The exploit chains together several classic types of attacks—phishing, session hijacking, and cross-site scripting—but the key flaw that makes the entire attack work is poorly maintained DNS.

This short video clip walks you through the entire process: phish a victim, steal their account token, access their account, and even buy in-game stuff with their saved credit card. (You might want to mute before you press play—the background music is loud and obnoxious.)

If you have a reasonably good eye for infosec, most of the video speaks for itself. The attacker phishes a victim over WhatsApp into clicking a dodgy link, the victim clicks the shiny and gets owned, and the stolen credentials are used to wreak havoc on the victim's account.
What makes this attack different—and considerably more dangerous—is the attacker's possession of a site hosted at a valid, working subdomain of ea.com. Without a real subdomain in their possession, the attack would have required the victim to log in to a fake EA portal to allow the attacker to harvest a password. This would have immensely increased the likelihood of the victim becoming alert to a scam. With the working subdomain, the attacker was able to harvest the authentication token from an existing active EA session before exploiting it directly and in real time.
Read 6 remaining paragraphs | Comments