Israeli security firms Check Point and CyberInt have teamed up this week to find, exploit and demonstrate a nasty security hole that allows attackers to kidnap player accounts in EA / Origin's online games. The exploit concatenates several classic types of attacks – phishing, session hijacking, and cross-site scripting – but the main flaw that makes the whole attack work is the poorly maintained DNS.
If you have a reasonable eye for Infosec, most of the video speaks for itself. The attacker fishes a victim via WhatsApp to click on a dubious link, the victim clicks on the shiny link and becomes obsessed. The stolen credentials are used to damage the victim's account.
What makes this attack different-and far more dangerous-is the possession of an attacker on a Web site hosted on a valid, working, subdomain of ea.com. Without a real subdomain, the victim would have logged into the attack on a fake EA portal and received a password. This would have immensely increased the likelihood of the victim becoming aware of fraud. The working subdomain enabled the attacker to retrieve the authentication token from an existing active IO session before exploiting it directly and in real-time.
Speaking today with Alex Peleg of CyberInt and Oded Vanunu of Check Point in a conference call That was really all I wanted to know ̵
An attacker interested in the company may find that that a new subdomain has been started, and then use the dig tool to check how the company was hosted. If you are redirecting to the internal DNS of a cloud provider, you must first wait for the marketing campaign to finish the URLs involved in the campaign no longer work, now we re-dig the subdomain name – if the original CNAME intak t is, we are in business. Next, the attacker uses a separate account with the same cloud provider and requests the same in-supplier DNS name originally used by the campaign.
At this time, the original CNAME now points to the attacker's website, not a website controlled by the actual company. Equipped with a working subdomain of the company's real domain, cookies can be captured (and embedded) by the company's users. This allows for instant attacks compared to victims who use the company's services.
In this case, Alex and Oded launched a phishing attack on WhatsApp, but a more entrepreneurial attacker could have instead launched a water-hole attack. Imagine, a serious attacker bought HTML-enabled ads from a banner farm designed specifically for EA gamers. The ad may open an invisible iframe on the abducted subdomain. Such an iframe could automatically retrieve the authentication tokens of all registered players without the user having to do anything.
There are countless possibilities.
According to Alex and Oded, the kind of oversight that's here of EA / The Origin is depressing in big companies. Devops teams do not talk to Infosec teams, nor do more traditional operations teams that manage core services such as company-wide DNS, and they fail. Researchers – and their companies – hope that public demonstrations like these will wake up big companies, destroy silos, and ultimately make end user accounts less vulnerable to hacking.
Listing image by Yosa Buson