Slashdot Mirror
Phishing Site Discovered On Sony Thailand Servers
mcgrew tips news that security firm F-secure has found a live phishing site running on Sony's Thailand servers. "Basically this means that Sony has been hacked, again. Although in this case the server is probably not very important." This comes alongside news that a point service run by So-net, a Sony subsidiary, was accessed by an unknown intruder, who stole about $1,200 worth of virtual tokens. "The intrusions are believed to have taken place on May 16 and 17. So-net discovered the breach on May 18, after receiving consumer complaints. So-net halted the point redemption service following the discovery of the breach. The latest breaches are relatively minor in scale compared to the massive breach at PSN and Sony Entertainment Online. Even so, it only adds to the company's embarrassment."
Ivan Vanko: [laughs] If you could make God bleed, people would cease to believe in him, there will be blood in the water, the sharks will come. All I have to do is sit back and watch as the world consumes you. Not that Sony was ever a God but the idea holds for any giant corporation with enough money buy the best security in the world. They were made to bleed and this won't be the last of these.
"Chinese Amazons, power armor, laser swords.... things just meant to be." - Shampoo, A Very Scary Bet
Seems Sony in Thailand uses a shared hosting setup. More details @ ThreatSTOP's Blog
You've got a point.
I work in Australia for a company that does a lot of business throughout Asia, I've been on the internets for ages, and have a background in programming and finance, so I've got a weird diverse IT/Business background. So, I sometimes get assigned to figure out weird problems which the other guys can't figure out, despite the fact that I don't do that job.
Anyhow, every now and then I get given a job of "Somethings wrong with x system, when working with our y asian supplier/partner/customer/etc". These suppliers/partners/customers/etc, aren't small little back offices either, they're usually handling at least a several hundred thousand dollar piece of business, and at most they're handling a several million dollar piece.
The first one I got, I put a lot of effort in, and spent heaps of time looking at our side, getting as much information as possible, resolving that nothing was wrong on our side, and realizing what was happening on their side, then sending it to everyone concerned, which included their sides IT department. To the extent that I'd even figure out what software their running, find the manual, and find the section which dealt with this problem.
This inevitably resulted in them coming back to me with "No, it your side". It was literally that small and simple a response. I took them seriously, went off, tried to see if I could resolve it, and ... nope. Still definitely their side.
So, I got in contact with them, and tried to explain what was happening. At which point I noticed "Holy shit, these guys really don't know anything, I'm going to have to walk them through this".
A couple of days later, they still couldn't get it done, so instead they just gave me remote root/Administrator access to their entire network, with absolutely no oversight, so I can go through and make changes to their system, so it was setup correctly.
I shit you not. Sometimes this would mean changing their ssh setup, their sales/orders processing setup, their email server, their domain, everything and anything.
We use many suppliers, and when something changes with our products/services/internally, we often have to change suppliers. So, I've now done this about 5 times, for 5 different companies, throughout Asia. After the first time, I now don't hesitate to ask for root access, and I always get it. Without so much as a small amount of verification, sometimes they hadn't even been told internally of the problem. Although know is "There's this Australian guy, who's confident, and adamant that we've got a problem, and needs access to our systems".
It never ceases to amaze me.
I've thought about this a fair bit over the years, and I think it's apart of the honour/pride culture, where they don't want to have to admit to their managers that they did something wrong, so instead of admitting it, then working to fix it themselves (even with my guidance), they'd rather give a relative stranger complete access. From what I read, this is the sort of cultural problem that was seen at Fukishima, an inability to admit when they were wrong, such that only dodgy patches are undertaken, or possible problems are covered up, to save face.
I know one time when I did this, it got back to us through our customer, that "their IT department had worked with us to resolve issues on our end", which cracked us up. For the sake of getting the job done, we don't care if we take the blame, we just want it up and running smoothly.
This is my footer. There are many like it, but this one is mine.
Man, that's a bit amateurish on the side of the phishers.
They had access to a *SONY* server. The same Sony who just admitted issues on their systems. Surely they should've just set up a fake phishing site imitating Sony? I mean, set up a realistic looking Sony form asking for way more information than you need, host it on Sony server so Sony's domain points to it, put it in a plausible looking path, and send out an email faking a Sony return address.
Honestly, this would present such a great phishing and drive-by-download install opportunity, I'm surprised they didn't use it. It originates from a Sony email address, the link points to a Sony server (and even if they type it in themselves, it's still Sony's domain), but a third party is really phishing that information. I'd guess you'd get a good chunk of people filling that information in. Forward them to the real Sony login page...
If they had access to the Sony SSL server... oh my.
Something like this would pass most of the basic sniff tests for phish emails and make it almost impossible to determine if it's really Sony or a phisher using Sony's server.
I think Sony is making a blindingly clear case that there is room in the market for a 4th (3rd? do we even count the Wii anymore as a serious contender for the adult market?) serious gaming console with a more mature online presence than Sony does.
Yes, that company would have been named Sega; they were the first to bring a console with an integrated modem and first to offer ethernet. Sony murdered them by knowingly publishing fraudulent specs for their console. I know I'm not the only one who didn't buy a DC because the PS2 was supposed to be better. The only way in which it was is that it was a DVD player... one of the worst ever made in terms of image quality.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I don't like Sony as a company, but this is one time I'm not sure if the claims against them are actually true. The article gave next to no details, and the site is already down so I can't look at it to see.
It's an Italian site and one of the words in the URL apparently translates to 'holder' - which makes me wonder if it was a development site that wasn't intended to be public. I'll admit it seems weird it's on a Thailand domain, but I would like a better explanation of what hdworld.sony is before I blame them for getting hacked. Are they providing shared hosting for some service and not checking the content regularly?
There just isn't enough information on this one.