Sony admits breach larger than originally thought, 24.5 million SOE users also affected

Data being stolenSony disclosed today that the breach affecting its PlayStation Network (PSN) that saw 77 million records lost was larger than they originally thought. Not only were the details of PSN users stolen, but another 24.5 million records related to users of Sony Online Entertainment were stolen as well.

Sony Online Entertainment logoSony Online Entertainment (SOE) is the division of Sony responsible for many of their popular online role-playing games like DC Universe Online and Star Wars: Clone Wars Adventures. As in the PSN breach, the lost information included names, addresses (city, state, zip, country), email addresses, gender, birthdates, phone numbers, login names and hashed passwords.

In news perhaps worse than the disclosure from two weeks ago, Sony is saying that 12,700 credit and debit cards and expiration dates of non-US customers and 10,700 direct debit accounts (bank account numbers) for users in Germany, Austria, Netherlands and Spain may also have been stolen.

SOE email

Unlike the credit cards from PSN, which Sony assured the public were encrypted, no mention was made in Sony’s press release about the information from SOE being protected.

Sony was quick to note that the passwords had been hashed, but has not disclosed which hashing algorithm was used and whether they used a salt when calculating the hashes.

Sony mentioned that the lost credit/debit card information and direct debit banking information was stored in an “outdated database from 2007.”

WHAT??!?! How many locations on your network are housing other “lost” financial data? Do you even know where my information is to check whether it has been stolen?

Whether Sony’s bad practices are an act of hubris or simply gross incompetence is hard to discern. Let’s hope for the sake of Sony’s customers and the poor souls in their public relations department that this is the last disclosure they will need to make related to this incident.

It is important to remember that Sony is a victim as well, not just the 101.5 million customers whose personal information have been disclosed. Malicious attacks like this are a serious crime, it is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe.

For more information on how to keep your data safe, visit our Data Loss and Regulations site to download free tools, papers and other advice on keeping your data safe.

Seeing Stars?

It’s been a week since a senior official in Iran announced that they had discovered a new targeted attack aimed at them. The details of this attack are still vague. While Iran has labeled the attack "Stars", it’s not clear if it is Stuxnet-like in its complexity, target, or ultimate goals. Iran says they have not yet discovered it purpose. And it appears they have not shared malware samples with any outside security researchers.

If more details emerge, specifically a sample of the threat that can be examined by security researchers, or a hash of the suspected file so we can identify it in our sample set, we’ll examine it. Until then we can only speculate. So here goes: my thoughts on what possibly could be going on.

1. Iran has discovered the "Brother-of-Stuxnet"
Given the resources that were put behind Stuxnet, it shouldn't be surprising that more than one attack was planned. In product development, it is not unusual to have two teams competing to solve a problem. And from what I know about espionage (which admittedly, is all learned from spy movies) it’s not unusual with those folks either. You can then pick the best effort with which to move forward. It also give you a plan B, in case your first effort doesn't work out like you hoped it would. It is very possible Iran has discovered plan B.

2. Imitation is the sincerest form of flattery
We have predicted that Stuxnet would drive other nation states to create similar malware. Another player may have jumped into the game, attempting to show off their cyber espionage skills and reach some objective known only to them.

3. Paranoia rules
It is quite possible that Iran has detected a massive attack that just happened to strike at them. This malware could be a fake AV program, who’s only purpose is to steal $49.95 in Iran currency. But given the paranoia of cyber attacks that must be running rampant in the government there, or perhaps to put it kindly, because of the extreme caution they likely now take, they have overreacted to a garden variety piece of malware. 

4. The dog ate my homework
Maybe somebody is running behind on an important project, their boss is breathing down their necks and they need a good excuse for being late. I've used the same technique on my boss before. “I would have had that white paper done, but I forgot to save it and then my machine crashed”, “I emailed it to you, you didn't get it?” or “An Israeli hacker crippled my server and I can't possibly make that deadline you gave me.”

As I said, I am just speculating. It's likely to be one of these reasons, but then again maybe it’s something else. What I am sure of is that unless security researcher are given a sample of the threat, speculation is all we have.

“Osama Dead” Is No Longer a Hoax

That’s right, and this time it’s not a hoax! Bin Laden was killed by a CIA-led operation on Sunday night at a mansion in Abbottabad, north of Islamabad. In 2004, Symantec reported a hoax email attack with the subject “Osama bin Laden Captured” which contain a link to a Web site that hosted malware. Similar attacks that used such false information about Osama Bin Laden were also distributed in 2005 and 2006.

News targeting famous/notorious personalities are often used in scams. At this moment, we at Symantec Probe Network are observing a huge inflow of legitimate messages carrying links to the news. However, in all likelihood, there will be an increase in spam volume targeting this news.

In one of the spam samples, the message is poisoned using the news of Osama’s death. The news snippet is glued in an HTML <title> tag which is invisible to the end user.

The link provided in the message has nothing to do with the news and directs the user to a promotion site as shown in the image below.

Another poisoned spam sample is a typical 419 scam message where the phrase “OSAMA IS DEAD” is used at the end of the subject line “Subject: GOODNEWS FROM ROBERT SWAN MUELLER III (OSAMA IS DEAD )”. Internet users may be curious enough to read each and every news item related to the operation carried out against Osama and its updates. So we expect to see messages like these where popular search terms are used to increase the curiosity of the user.

In a Portuguese spam sample, the message claims to show unseen footage at the time of Osama’s death. It seems that the spammer failed to add the malicious link in the message. Historically we’ve seen messages such as the one shown below perform malicious activity in the form of downloading binaries and infecting the computer. Below is the snapshot of the email and its translation.


News of Osama’s death and subsequent updates are closely followed on the Internet. We predict a rise in scam and malicious attacks over the next few days. We advise users to be cautious about opening unsolicited emails with this news as a subject. We are monitoring this trend and will keep our readers updated.

Thanks to Paresh Joshi, co-author of the blog.

Mac users hit with fake anti-virus when using Google image search

A massive SEO poisoning attack has hit Google, targeting Windows and Mac users alike. From rather innocuous terms related to global warming, to hot topics like Osama bin Laden’s death, users are being hit with fake anti-virus programs, this time delivering payloads to users of Apple’s Mac OS X.

JavaScript Fake AV scannerStrangely when surfing to the compromised URLs you are first prompted with a JavaScript-based fake scanner that appears to show an infected Windows XP computer, even when surfing from a Mac.

When you click or close the fake scanner page you are prompted to download a .zip file onto your Mac with a filename like “”.

Some of the downloads are a package installer that installs the fake software; others simply a contain ready-to-run Mac application.

Fake AV for Mac installer/download

In a similar social engineering trick as we have seen in Windows fake scanners it pretends to be a legitimate Mac anti-virus program called MacDefender.

The scanner doesn’t actually touch the hard disk while “scanning”, although on a Mac it can be hard to know without a hard disk light.

It pretends to find some very important things that may have been compromised, such as the Terminal application and the standard Unix utility test, also known to Unix shell programmers as [.

Mac fake scan results

Credit card at risk warningIt uses a lot of social engineering including redirecting your browser to rather offensive porn sites, although it does not appear they are doing this to make money, simply to imply that you are infected.

It also uses scare tactics like your credit card data being at risk. The reality is that your credit card is only at risk if you actually try to purchase the fake software.

Buy fake Mac AV

Sophos customers using the Sophos Web Security Appliance and Sophos Live protection are protected against these threats.

Mac users with Sophos Anti-Virus for Mac are protected by the identities OSX/FakeAVZp-B and OSX/FakeAV-DMP. Windows users are protected against the Windows version known as Mal/FakeAV-FS.

Are you a Mac user? Why not download our free anti-virus for Mac OS X?