Modernizing Authentication — What It Takes to Transform Secure Access
The server was previously used to host a calendar based on WebCalendar 1.2.0 from September 2008 that contains several vulnerabilities, one of which was likely leveraged to compromise the server.
The well-designed phishing site asks for the victim's Apple ID and password. Once that's submitted, a second page goes much further, asking for the victim's full name, credit card number, expiration date, verification code, birthdate, phone number, mother's maiden name and more.
If the victim enters the requested data on the second page, he or she is then redirected to the actual Apple Web site.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
"[T]he hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server," notes Netcraft's Paul Mutton. "The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network."
Photo courtesy of Shutterstock.