Just 24 hours after the world learned about the dangerously convincing Google Docs phishing scam, a security company revealed a very similar exploit involving the Apple ID log-in screen. And, weirdly enough, it's hosted on EA's website.
Netcraft explained the scam on its blog on Wednesday. It begins with a legitimate EA.com URL that redirects to what appears to be a legitimate Apple ID log-in screen. But it's not. Once you enter those details, you're taken to a second screen that asks for a host of personal details, including your full name, credit card number (and verification code), date of birth—even your mother's maiden name! When you click okay on that screen, you're redirected to the actual Apple ID home page.
It's unclear exactly how the hackers behind the phishing scheme are sending people to the EA domain and fake Apple ID log-in page, but it's easy to imagine it being couched in some email about an Apple offer, maybe even something related to EA's many iPhone games. EA, of course, is investigating the situation and claim it has already fixed the vulnerability that allowed the phishing page to be set up in the first place.
Needless to say, you should be very careful about logging in. There's been an uptick in sophisticated phishing attacks lately, and it's obvious that the classic check-the-URL-trick doesn't work as well as it used to. If in doubt, you should always go directly to the website and navigate to the page you want to visit, or simply type the address into the URL bar to avoid any sneaky redirects. Common sense can't hurt, either. [Netcraft]