Sony PlayStation site victim of SQL-injection attack

Early Wednesday, antivirus vendor Sophos reported that some visitors to the Sony PlayStation site may have been prompted to download an antivirus scanner.

Pages promoting the PlayStation games SingStar Pop and God of War contained SQL-injected code. Visitors to those specific game pages would see a fake antivirus scan , then a message that their computer was infected with different viruses and Trojan horses. Warned, the user would then be asked to purchase the scanner to remove the bogus malware.

The injected code linking to the scanner has since been removed.

Sophos said the attack could have downloaded malicious payloads, but did not.

Security researcher Dancho Danchev said in his ZDNet blog that Sony wasn't alone. It was one of 794 domains hit in the latest automated SQL-injection campaign using a multilayer fast-flux superstructure built around coldwop.com. Over the last 90 days, Google reports that 794 domains have been infected with code pointing to that domain. These are legitimate sites with vulnerabilities that allow criminal hackers to inject code pointing to their servers.

With fast-flux, a registered domain name stays the same while its node changes frequently, presumably thwarting any attempts to shut down the server hosting malicious content.

Danchev concludes: "If you don't take care of your Web application vulnerabilities, someone else will."

[Chameleon81]

what a shame for sony !

[RompStar_420]

SQL injection happened to a lot of Companies, Microsoft as well, not just SONY, but live and learn adapt, and make sure things are backup well.

[jimkii]

Again we have people who don't understand the basics of web site security. You don't use SQL that can be injected. You use stored procedures (that do NOT generate dynamic SQL commands) or you use commands with bind variables. You don't try to write "filters" to get around this it is much simpler and more performant to use bind variables. (prepared statements in Java) ALL the major database vendors give this advice. (MS, Oracle, IBM etc.) Sony should be hiring competent people.

[birdpiercefan3334]

This has been happening all too often.

[umbrae]

As a web developer, SQL injection is 100% preventable and is the result of bad coding techniques. Its very easy to protect against, so this shows that Sony cared little about protecting their customers. In fact, I would question whether this breach was intentional; afterall, Sony knowing distributed Root Kits to users. Why not assume this was some other attempt to install software without a users knowledge?