In the aftermath of a large-scale attack on point-of-sale (POS) systems at retailer Target, new malware designed to illegally extract payment card data from the sales systems was released earlier this month.
Security researchers from cybercrime intelligence firm IntelCrawler identified a PoS RAM (random access memory) scraping program dubbed Decebal that they believe was released on Jan. 3. The release shows that cybercriminals are increasingly interested in launching this type of attack.
The malware is written in VBScript (Visual Basic Scripting) in less than 400 lines of code. Despite looking fairly unsophisticated, it can grab track 2 data — data encrypted on the magnetic stripe of credit or debit cards — from PoS memory and contains routines to evade malware analysis tools, like antivirus sandboxes and virtual machines.
The use of a scripting language to create malware is not unusual, but is highly uncommon for this particular type of threat. Andrey Komarov, CEO of IntelCrawler, said this is the first time he’s seen PoS malware written in VBScript.
Using this language provide some benefits, like portability, as it works by default in all Windows versions since Windows 98 and doesn’t require a separate interpreter. Many PoS systems run a version of Windows Embedded.
VBScript is also commonly used by Windows system administrators to automate different tasks and can be called by other scripts and programs, which could make this particular malware inconspicuous, Komarov said.
Decebal sends the stolen card data to a command-and-control server, particularly to a single 44-line PHP script running on a Web server that sorts the information and stores it.
Various text strings found in the malware code suggest its authors are likely Romanian, the IntelCrawler researchers said in a blog post. The name chosen by its creators also points in this direction, Decebal being the Romanian name of Dacian king Decebalus, an important figure in Romanian history.
Bogdan Botezatu, a senior e-threat analyst at Romanian antivirus firm Bitdefender, agreed with IntelCrawler’s assessment of the malware’s origins. “Most of the strings, functions and variable names are clearly Romanian words so chances are that the malware has been written by a Romanian citizen,” he said via email.
In the video, posted on YouTube on December 28, the group said that Sony had signed its own death warrant by supporting the controversial American act.
“Yet again, we have decided to destroy your network,” threatens the video.
“We will dismantle your phantom from the internet. Prepare to be extinguished. Justice will be swift, and it will be for the people, whether some like it or not.”
The post was updated with an image of a dog with a gun to its head, with the following message.
“Dear RIAA/MPAA, meet Sony. Sony is a dog. Sony is your dog.”
“Cease and desist in persuing [SIC] your ridiculous futile decade long crusades against grandmas, innovators, teenagers, and dead people. If not we will kill your dog.”
PlayStation Lifestyle reported that the #OpSony group within Anonymous has said that while Sony Computer Entertainment is a target the activists will not attack the PlayStation Network or consumers, instead focusing on Sony websites and employees.
Sony has actually withdrawn from supporting SOPA, although Sony/ATV Music Publishing, Sony Music Entertainment and Sony Music Nashville are still listed in official documents as supporters, and the ESA, of which Sony is a member, still backs the anti-piracy bill.
In April attacks on the PlayStation Network took the service offline for over five weeks.
The offensive content was available for approximately 20 minutes, before the channel was suspended for “repeated or severe violations of our Community Guidelines.” It can’t be often that Sesame Street gets that sort of ban dumped on it. Although we always suspected that Big Birds career would slid and he would end up doing porn. Aside from uploading pornographic videos, the hackers also changed the Sesame Street channel profile on YouTube:
WHO DOESN’T LOVE PORN KIDS? RIGHT! EVERYONE LOVES IT! IM MREDXWX AND MY PARTNER MRSUICIDER91 ARE HERE TO BRING YOU MANY NICE CONTENT! PLEASE DON’T LET SESAME STREET TO GET THIS ACCOUNT BACK KIDS 🙁 PLEASE…LET ME AND MRSUICIDER91 HAVE IT AND WE GONNA MAKE ALL THE AMERICA HAPPY!
“Mr Edxwx” has uploaded a video denying any involvement in the hack.
Graham Cluley, senior technology consultant at Sophos said the hack is bad news for YouTube “The truth of the matter is that the channel is regularly visited by young children, and parents trust that the page will be safe for them to view,” he said. “Attacks like this prove that websites with particularly vulnerable audiences need to be monitored regularly, and protected with the highest possible security controls. In addition, parents need to be extra vigilant about keeping an eye on the websites their children are visiting – and remember that even the seemingly most innocent websites can be compromised,” Cluely added.
Whoever did this is a SICK BASTARD…
Sony has locked down 93,000 accounts on its Playstation Network (PSN), Sony Entertainment Network (SEN) and Sony Online Entertainment (SOE) service after they were compromised during a recent brute force attack.
The incident was announced by Sony’s chief information security officer Philip Reitinger, who explained that the company detected an attempt to test a massive number of credentials against its user database.
Because the attack had a very small success rate, Sony believes that the sets of usernames and passwords were stolen from other companies and were just being checked for validity on its own services.
“Given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks,” Reitinger explained.
It’s not clear how the attack was executed, since live authentication systems usually have restrictions in place that prevent many login attempts from the same IP address over short periods of time. That’s why brute force attacks are usually performed against local database copies.
Botnets can sometimes be used to bypass authentication restrictions, but given that in this case the attackers managed to validate 93,000 accounts despite a poor success rate, either the botnet must have either been huge or Sony’s systems must have lacked proper protections.
According to Reitinger, 60,000 of the affected accounts are from the PSN and SEN networks, while the other 33,000 are on SOE. All of them have been locked down and are being reviewed for unauthorized access.
In order to regain control over the accounts, their legitimate owners will need to change their passwords. The company will notify those affected via email and will instruct them on how to proceed.
“Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet,” Reitinger said.
The company advises users to choose username and password combinations that are not associated with other web sites and are hard to guess. Users should also review all their online accounts for suspicious activity on a regular basis.
Sony has hired a former US Department of Homeland Security and Department of Defence official to fill its primary security post after a series of large scale attacks on its gaming networks by hackers earlier this year.
The position of chief information security officer and senior vice president will be filled by Philip Reitinger, who previously worked as director for the US National Cyber Security Centre and executive director for the US Department of Defence Cyber Crime Center, which gives him plenty of experience with cybercrime.
Reitinger will report to Nicole Seligman, executive vice president and general legal counsel for Sony US, suggesting that the appointment will not just be about bumping up security, but will also involve tracking down some of the people behind this year’s attacks.
Reitinger has also previously worked for Microsoft as chief security strategist, so he also has experience working with top technology firms.
“Certainly the network issue was a catalyst for the appointment,” said a Sony spokesperson, according to Reuters. “We are looking to bolster our network security even further.”
The attacks against Sony’s Playstation Network and Qriocity services began in April, resulting in over 100 million user accounts, including credit card details, being exposed. The networks were taken offline for a number of weeks, with full services not resuming in some regions until July. Sony’s online gaming service that runs Everquest and Star Wars Galaxies was also attacked.
At the time Sony vowed to involve law enforcement, but so far there has been little success in finding and prosecuting the people responsible for the attacks. Perhaps hiring Reitinger will help. If not, he might at least be able to help improve security to prevent another costly hacking incident.
Sony has revealed that the financial losses caused by the cyber attacks in April are less than originally predicted.
In its official presentation of its Q1 earnings, executive vice president and chief financial officer Masaru Kato revealed “”the [total] cost may be smaller than the original cost estimate.”
In May Sony predicted that the attacks would cost $171.2 million by the end of the 2012 fiscal year.
“That was the May forecast,” said Kato. “The first quarter cost was within our expected range.”
He also revealed that user numbers are returning to the levels seen before the cyber attacks.
“Most recently, user logins to the PlayStation Network in North America have returned to a similar level as before the cyber attacks.”
“Many customers have already returned to our service. At one point people were concerned, [but the] impact will not be as great as we originally estimated.”
Courtesy-GI.biz by Rachel Weber
It appears that another Defence contractor was the target of hackers. L-3 Communications took upon themselves to warn employees that hackers were targeting L3 by using information on a stolen SecurID keyfob system from a breach at RSA Security.
As of late this this is the second hacker target linked to the RSA breach. The other one was Lockheed Martin where an incident occurred last week. Apparently an email was sent to Wired magazine informing them that L-3 Communications was hit with penetration attacks aimed at getting information.
Unfortunately, L-3 did not give any details letting the public know if the hackers were successful in their attack; or how L-3 determined SecurID was involved. L-3 Communications is one of the top ten federal-government contractors. The firm supplies command-and-control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to certain government agencies.
That said, RSA said they were the target of an “extremely sophisticated” hack in which the bad guys were succeeded in stealing information related to RSA’s SecurID two-factor authentication methods.
It looks like all parties using their SecureID authentication need to stop using their product or RSA needs to use a totally new form of cryptography.
More than 2000 users of Sony Ericsson’s Canadian Website are impacted by the latest hack attack to hit a battle worn Sony. Sony Ericsson is joint mobile phone venture between Sony and Ericsson. According to Sony hackers made off with e-mail addresses, passwords and phone numbers–but no credit card details. Sony has now shut down the affected site. Around 1000 of the stolen records from the Sony Canadian Website are already online, posted by Idahc, a “Lebanese grey-hat hacker”.
“Sony Ericsson’s Website in Canada, which advertises its products, has been hacked, affecting 2000 people,” a Sony spokesperson told AFP. “Their personal information was posted on a Website called The Hacker News. The information includes registered names, email addresses and encrypted passwords. But it does not include credit card information.”
“Sony Ericsson has disabled this e-commerce Website,” Sony detailed to IDG News. “We can confirm that this is a standalone website and it is not connected to Sony Ericsson servers.” For security, Sony has shut down the Canadian Sony Ericsson eShop page, which currently reads: “D’oh! The page you’re looking for has gone walkabout. Sorry.”
The news of the Canadian site attack comes just one day after Sony admitted hackers attacked on Tuesday the Sony BMG Greece website, where details of over 8,500 people were stolen. A Sony Music Entertainment page in Indonesia was also hacked at the weekend, but Sony believes not information was stolen.
More than 100 million account details were stolen from Sony last month in a cyber attack of the PlayStation Network, which has returned to normal operation in the U.S. and Europe, but not in Asia (after more than a month of downtime).
Sony doesn’t know yet whether the recent incidents have any link to the attacks on the PlayStation network. Sony hopes to fully restore the PlayStation Network and Qriocity services by the end of May, but the massive data breach is expected to cost the company at least $170 million.
Security flaws seems to be an elusive beast that Sony just can’t seem to slay as the corporation has shut down a website created to help millions of users affected by last month’s massive data breach after finding a “security hole”.
The site had been established to help 77 million users of its PlayStation Network reset their passwords after finding the security weakness.
The issue, which Sony alerted customers to on its PlayStation website, marks yet another setback for the company, which has been under pressure since hackers broke into its systems about in April.
Sony spokesman Dan Race said the company found the security hole on a webpage that could potentially allow the hackers who had breached personal data from users in April to access their accounts using the data they had stolen.
“If I had your email and your birth date I could have potentially got access to your account,” Race said.
In response, Sony on Wednesday temporarily took down the PlayStation Network password reset page, as well as that of its Qriocity music service. It has since fixed the issue and will bring the pages back up shortly, Race added.
Sony last month disclosed that it had been a victim in one of the biggest cyber-attacks in history.
Basic services on the PlayStation Network and Qriocity services were restored for users in North America, Europe, the Middle East, Australia and New Zealand for the first time in more than three weeks, but users in Asia face a longer wait for service to resume.
Sony shutdown the two online services after discovering on April 19 that its data center in San Diego had been attacked. A subsequent computer forensics investigation into the hack revealed the massive theft of personal information including user names, e-mail addresses, login IDs and passwords.
The PlayStation Network is a platform for online gaming and a channel through which Sony sells games and other content to console and handheld owners. Qriocity is an online service for Sony’s networked consumer electronics products that offers music and video content.
Service was resumed in North America late Saturday evening and in other markets on Sunday. PlayStation users are being asked to download a firmware update for the console before they can reconnect to the network. Then, upon login, users must change their password.
The only hiccup in the resumption of services came in the password reset process, which was slowed down because of the large number of e-mail messages generated by the system. Some e-mail and Internet service providers temporarily throttled messages from Sony due to the high volume resulting in short delays. Sony also halted the password reset process for 30 minutes at one stage to clear a backlog of messages.
Sony also reenabled the playback of already rented video, “Music Unlimited” online audio streaming, access to third-party services like Netflix and Hulu, PlayStation Home and friends features such as chat. Full service is expected to resume by the end of May in these markets.
Users in Asia, including Sony’s home market of Japan, are still waiting for service to be restored.
As we reported last week that Hackers were planning a third attack on Sony’s Network over the weekend. Insiders are now saying that Sony’s technical staff and engineers were reading the blogs and took the opportunity to secure the servers the hackers had planned to attack.
On the IRC, one of the would be hackers said that Sony must have read about the attack because the particular server they had planned to hack was either offline or patched by Sony.
It is being said the hackers had planned to attack an unspecified Sony Web site, with the goal of posting additional embarrassing information online
These attacks have kept Sony’s Online gaming service offline since the middle of April; and Sony plans to bring the service back up before May 31st. The attacks are said to be in retaliation of Sony’s attempt to prosecute a fellow hacker. Regardless, this has pissed off many of a gamer off and I do not know if this is what the hackers wanted.
Word on the street is that Sony’s PlayStation Network gaming environment may be attacked again. A user on the IRC channel used by the hackers apparently informed CNET that the perpetrators are in the process of staging another attack over the weekend. The group that is engaged intends to publicize all or some of the information they are able to acquire off Sony network servers, that may include private customer information such as credit cards and addresses. The hackers are said to be able to pull off this feat because they still have access to some of Sony’s servers that handle the PlayStation Network.
Sony still does not have a clue as to who the purveyors of these dastardly deeds are for what they are calling a “highly sophisticated, planned” attack. However, as of late they have been pointing the finger at the group known as Anonymous. That said, Anonymous continues to deny being the culprit. Whoever pulled off this stunt must be plenty upset with Sony at the moment if they plan to strike a third time.
Check out CNET for more information.
Apparently Sony has confirmed over the weekend that the PlayStation Network will finally be up and running this week. Sony will bring the PSN network up in a phased approach and the whole network should be up and running by the end of the month sources have said.
Sony is expected to offer what is being called a “Welcome Back” program that includes giving users free access to all of the PSN Plus service for a full month and in some cases 30 days of free access to Qriocity.
We hear that the following services will be the first to return when the PSN network is up: Online gaming for both PS3 and PSP systems, Qriocity, Account management services, PlayStation Home, Friends List, and Chat functionality.
While gamers will be happy that the PSN Network will be up and running; this fiasco does make Sony look very bad. We also believe most users will think twice about saving their personal credit card data online with the PSN Network. One would have thought that a technical behemoth like Sony would have had all sides covered in prohibiting data theft and the personal security arena.
The two networks were taken down by the company after it discovered they had been hacked. Sony subsequently said personal information on some of its 77 million registered account holders had also been illegally breached. It also said credit card numbers could have been stolen, but an ongoing investigation had uncovered no evidence of that so far.
On Thursday, in the latest of a series of postings to its PlayStation Blog, the company said some type compensation is being considered.
“We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online,” the post stated.
The PlayStation Network is available at no charge to users, so the compensation, if it comes, is not likely to be monetary. A percentage of users do subscribe to the PlayStation Plus service, which offers access to beta versions of games and other perks for an annual fee.
The blog posting also said subscribers to Sony Online Entertainment’s MMO (massively multi-player online) games “DC Universe Online” and “Free Realms” would also see something from the company.
“To thank players for their patience, we will be hosting special events across our game portfolio,” the blog said. “We are also working on a ‘make good’ plan for players of the PS3 versions of DC Universe Online and Free Realms.”
The latest blog posting didn’t provide any updates as to the status of the PlayStation Network, the Qriocity service for consumer electronics devices, or an ongoing investigation into the hack.
It did say gamer trophies and game data files storied on Sony’s servers will be available once the service is back online.
It’s been almost a whole week and the PlayStation Network is still offline, and now Sony has acknowledged that the problem involved a security breach.
The online multiplayer gaming site, along with Qriocity, Sony’s cloud music subscription service, went down last Wednesday and may not be available for another week.
After the outage, Sony told users their sites had been hacked, prompting PlayStation engineers to take them offline to investigate.
Today, the company posted information online admitting that the hack had breached users’ account information, including name, address, birth date, purchase history and online ID.
Patrick Seybold, a senior director at Sony, also noted in the blog post that there’s no evidence users’ credit card information was stolen. However, he added that “out of an abundance of caution,” Sony is advising users that their credit card number and expiration date may have been obtained.
“We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network,” the company wrote. “We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible.”
Users were first frustrated with their inability to get online and play their favorite games; now, they’re frustrated about the security breach and what it might mean for them financially. And they’ve been taking to Twitter to vent about it.
Dan Olds, an analyst with The Gabriel Consulting Group, said the site outage alone was causing trouble for Sony. The data breach acknowledgement just heaps on more.