Security firms demonstrate subdomain hijack exploit vs. EA/Origin

by
Jim Salter
from Ars Technica - All content on (#4HYZ5)

Israeli security firms Check Point and CyberInt partnered up this week to find, exploit, and demonstrate a nasty security flaw that allows attackers to hijack player accounts in EA/Origin's online games. The exploit chains together several classic types of attacks-phishing, session hijacking, and cross-site scripting-but the key flaw that makes the entire attack work is poorly maintained DNS.

This short video clip walks you through the entire process: phish a victim, steal their account token, access their account, and even buy in-game stuff with their saved credit card. (You might want to mute before you press play-the background music is loud and obnoxious.)

If you have a reasonably good eye for infosec, most of the video speaks for itself. The attacker phishes a victim over WhatsApp into clicking a dodgy link, the victim clicks the shiny and gets owned, and the stolen credentials are used to wreak havoc on the victim's account.

What makes this attack different-and considerably more dangerous-is the attacker's possession of a site hosted at a valid, working subdomain of ea.com. Without a real subdomain in their possession, the attack would have required the victim to log in to a fake EA portal to allow the attacker to harvest a password. This would have immensely increased the likelihood of the victim becoming alert to a scam. With the working subdomain, the attacker was able to harvest the authentication token from an existing active EA session before exploiting it directly and in real time.

Read 6 remaining paragraphs | Comments

index?i=MYYUtdp2yWg:vLFRgG5rrns:V_sGLiPB index?i=MYYUtdp2yWg:vLFRgG5rrns:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments