This is wicked stuff for those who've not seen it yet. BeEF is where it's at.

It appears someone used an automated SQL injection tool to find this flaw. It's not something that requires a particularly skillful attacker, but simply the diligence to comb through Sony website after website until a security flaw is found.

While it's cruel to kick someone while they're down, when this is over, Sony may end up being one of the most secure web assets on the net.

Man...no rest for these guys...

Nice format for the SQLi explanation.

At RSA 2011 in San Francisco the company publicized that they were sparing no expense to rent a strip club for an invitation-only "VIP" party. Although they did their best to promote the event as exclusive and posh, little could be done to hide the fact that the club is known locally for its $5 buffet including peep show.

The company may be asking itself now whether the cost spent appealing to desires of a certain demographic was balanced versus the cost of securing sensitive customer data against the much larger and greater diversity of attackers…. Could this be a good candidate for a MasterCard "priceless" commercial?

Ouch.

In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically "http://lizamoon.com/ur.php" or more recently, "http://alisa-carter.com/ur.php." Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing.

Ah, SQLi...today you were my friend, but so many others' enemy.