Security firms Check Point and CyberInt show how to take over accounts from EA Origin through a range of techniques. Among other things, they managed to use a subdomain of ea.com, which makes it easier to lure targets into the trap.
Check Point and CyberInt used a chain of methods that are more commonly used in their proof-of-concept for taking over an Origin account, such as phishing, session hijacking and cross-site scripting. The video shows how they entice a target to click on a link via WhatsApp, with the promise of a week of free Origin Access Basic access.
Usually this is a weak point in an attack, because the person the attack is targeting can see that it is not an EA URL, but a URL for a subdomain similar or not. However, the security companies managed to lure victims to an actual EA subdomain: eaplayinvite.ea.com.
They managed to hijack the subdomain by analyzing a type of DNS records, the CNAME records. Developers use a CNAME record, or Canonical Name Record, to associate a subdomain with the domain where the content is hosted. In the case of EA, it could be the name of a marketing campaign that appears in the URL, where that subdomain is linked to a place of, for example, hosting provider AWS.
The dig tool allowed Check Point and CyberInt to see how eaplayinvite.ea.com was hosted through the CNAME record. When that marketing campaign was over, they could request the underlying AWS record themselves. At the hosting provider, they were able to host a malicious site themselves on that spot, after which eaplayinvite.ea.com pointed to it. They also managed to intercept EA cookies from users and obtain authentication tokens.
Check Point and CyberInt report to Ars Technica that subdomains of large companies can often be hijacked in this way, because the devops development teams do not always communicate well with the security teams. Cyberint has a tool online that allows companies to check whether they are vulnerable.