LulzSec, the latest group of hackers who go around compromising Websites and servers for fun, or "lolz" struck again, hitting Sony Pictures, Nintendo and two Websites belonging to FBI partners
Almost two months after the
massive attack on Sony, which compromised more than 100 million user accounts,
the attacks keep coming. Sony was hit again, as was fellow gaming company
Nintendo.
A group of hackers going by
the name LulzSec attacked Sony Pictures Entertainment June 2, Websites
affiliated with the Federal Bureau of Investigation June 3, and Nintendo June
5.
"Lulz Security is
playing a dangerous game" with its high-profile attacks, said Graham Cluley, a
senior technology consultant for Sophos.
LulzSecurity gained access
to the email database and the Website of Infragard, a private-public partnership
between the FBI and private-sector security firms on June 3. The group defaced
Infragard's Website with messages such as "Let it flow you stupid FBI
battleships," and a video clip, in what seems to be a protest against the
federal government's plans to equate cyber-attacks with an act of war. The
group also leaked the email database containing information for 180 users.
LulzSec claimed to have been
able to use "most" of the stolen passwords to compromise accounts on other
systems because the victims had reused passwords, "which is heavily frowned
upon in the FBI/Infragard handbook and generally everywhere else," the group
said.
One such user was Karim
Hijazi, the CEO of white-hat hacking organization Unveillance. Unveillance
specializes in data breaches and botnets. LulzSec discovered that Hijazi used
the Infragard password on his personal Gmail account as well as his corporate
account at Unveillance, giving the group access to all his personal and work
email.
Unveillance claimed in a
statement June 6 that LulzSec tried to extort the company into revealing
sensitive data. "I was personally contacted by several members of this group
who made threats against me and my company to try to obtain money as well as to
force me into revealing sensitive data about my botnet intelligence," the
company said. The information could have put businesses and government agencies
at risk of massive distributed-denial-of-service attacks.
LulzSec claimed it was
running a sting and the goal was to expose Unveillance's incompetence. "We were
simply going to pressure you into a position where you could be willing to give
us money for our silence, and then expose you publicly," the group said in its
own press release. The group clarified later on Twitter, "We were merely
testing if he would fold or not."
The group also alleged that
Hijazi offered to pay them to eliminate his competitors, an allegation Hijazi
denied.
Unveillance managed to
protect all the sensitive data from LulzSec, Hijazi said, noting, "All they
have stolen and publicly dumped are my personal and work emails."
LulzSec claims to attack for
fun, or for "lolz," and not financial gain. The group was behind the recent
attack on PBS.org,
where it posted a fake news story about Tupac Shakur and defaced other pages,
as well as an earlier attack on Fox.com.
The group also gained the records of 1 million Sony users from Sony Pictures
Entertainment that it planned to dump. "Maybe a torrent," the group tweeted.
Sony confirmed the attack on June 3, noting that email addresses and passwords
came from a site that had been dormant for several years, according to Sony.
Nintendo disclosed June 5
that one of its servers belonging to its U.S. business unit was hacked, but
that no company or customer information was compromised. The incident also
didn't cause any damages to its operations or inconveniences for its customers.
The Nintendo hack couldn't have come at a worse time for the company, as it
gears up for the launch of a new online service for its 3DS handheld gaming
systems June 7. Nintendo 3DS users will be able to buy and download games,
including some classic titles, from the Nintendo e-Shop.
LulzSec posted what it
claimed was a "server-configuration file" obtained from the compromised server.
"Just for fun while we at LulzSec warm up," the group posted on Twitter, adding
the group "made
it clear that we didn't mean any harm" against Nintendo.
The group hinted on Twitter at
more attacks to come. "There will be bigger targets, there will be more
ownage," LulzSec tweeted June 4.
Email
Print
