Several web surfers may have had their credit card information compromised while visiting the US PlayStation site recently; IT security firm Sophos have confirmed that the site was hacked. The method used did not attempt to steal any pre-existing credit card information that may have been given to Sony but instead, the hackers used the “You’ve got malicious programs on your CPU” scam.
Sophos says the hackers used a SQL injection attack to implement their code onto the pages that promoted SingStar Pop and God of War. The way it worked was the user would navigate onto one of the pages where a fake anti-virus scan would occur, after which they’d naturally be told that their computer was host to a number of viruses and Trojan horses. Upon agreeing to purchase a fake piece of software, the thieves obtained personal credit information from the victim.
A senior technology consultant for Sophos, Graham Cluley, gave his take on why the hackers chose the PlayStation site, and what users can do to protect themselves in the future: “There are millions of video game lovers around the world, many of whom will visit Sony’s PlayStation website regularly to find out more about the latest console games. Most would never expect that surfing to a website like this could potentially infect them with malware. If users do not have sufficient protection in place then they might find that before they know it they have been scared into handing their credit card details over to a bunch of cybercriminals. It is essential that all websites, especially when they are high profile like this or receiving a large level of traffic, have been properly hardened to prevent hackers from injecting malicious code on to what should be legitimate webpages.”
Sony is yet to comment on the matter and the actual number of people who may have fallen for this scam is not being reported on at this time. This makes the second time this year when personal information has been compromised for the PlayStation brand.