When I spoke to CyberInt's Alex Peleg and Check Point's Oded Vanunu in a conference call today, that was really all I wanted to know—how'd you guys get control of that EA subdomain in the first place? According to the two researchers, it's a pretty common screwup. A big company starts a new marketing campaign, sets up a devops team to do the coding work necessary, and gives the team a new subdomain—like eaplayinvite.ea.com—to run the campaign on. The devops team spins up new instances on AWS, Google Cloud, or a similar provider, then uses a CNAME record to connect the company subdomain to a provider-internal A record at the host. When the marketing campaign is over, the AWS or other cloud instance gets shut down... but nobody tells the team managing the company's main domain to get rid of the CNAME record. That's where things go sideways.
Enlarge / You can use the DNS command-line tool dig to find out all sorts of interesting things about an FQDN.
Jim Salter
An attacker interested in the company can see that it launched a new subdomain and then use the tool dig to see how it's hosted. If the attacker sees that the company has used a CNAME record to redirect to a cloud provider's internal DNS, the next step is to wait for the marketing campaign to complete and the URLs involved in the campaign to stop working. Now we dig the subdomain name again—if the original CNAME is intact, we're in business. Next, the attacker uses an account of their own at the same cloud provider and requests the same provider-internal DNS name originally used by the campaign.
At this point, the original CNAME is now pointing to the attacker's website, not one controlled by the actual company. Armed with a working subdomain of the company's real domain, cookies belonging to the company's users can be captured (and embedded!). This makes instant attacks versus victims using that company's services possible.