Almost two months after the massive attack on Sony, which compromised more than 100 million user accounts, the attacks keep coming. Sony was hit again, as was fellow gaming company Nintendo.
A group of hackers going by the name LulzSec attacked Sony Pictures Entertainment June 2, Websites affiliated with the Federal Bureau of Investigation June 3, and Nintendo June 5.
“Lulz Security is playing a dangerous game” with its high-profile attacks, said Graham Cluley, a senior technology consultant for Sophos.
LulzSecurity gained access to the email database and the Website of Infragard, a private-public partnership between the FBI and private-sector security firms on June 3. The group defaced Infragard’s Website with messages such as “Let it flow you stupid FBI battleships,” and a video clip, in what seems to be a protest against the federal government’s plans to equate cyber-attacks with an act of war. The group also leaked the email database containing information for 180 users.
LulzSec claimed to have been able to use “most” of the stolen passwords to compromise accounts on other systems because the victims had reused passwords, “which is heavily frowned upon in the FBI/Infragard handbook and generally everywhere else,” the group said.
One such user was Karim Hijazi, the CEO of white-hat hacking organization Unveillance. Unveillance specializes in data breaches and botnets. LulzSec discovered that Hijazi used the Infragard password on his personal Gmail account as well as his corporate account at Unveillance, giving the group access to all his personal and work email.
Unveillance claimed in a statement June 6 that LulzSec tried to extort the company into revealing sensitive data. “I was personally contacted by several members of this group who made threats against me and my company to try to obtain money as well as to force me into revealing sensitive data about my botnet intelligence,” the company said. The information could have put businesses and government agencies at risk of massive distributed-denial-of-service attacks.
LulzSec claimed it was running a sting and the goal was to expose Unveillance’s incompetence. “We were simply going to pressure you into a position where you could be willing to give us money for our silence, and then expose you publicly,” the group said in its own press release. The group clarified later on Twitter, “We were merely testing if he would fold or not.”
The group also alleged that Hijazi offered to pay them to eliminate his competitors, an allegation Hijazi denied.
Unveillance managed to protect all the sensitive data from LulzSec, Hijazi said, noting, “All they have stolen and publicly dumped are my personal and work emails.”
LulzSec claims to attack for fun, or for “lolz,” and not financial gain. The group was behind the recent attack on PBS.org, where it posted a fake news story about Tupac Shakur and defaced other pages, as well as an earlier attack on Fox.com. The group also gained the records of 1 million Sony users from Sony Pictures Entertainment that it planned to dump. “Maybe a torrent,” the group tweeted. Sony confirmed the attack on June 3, noting that email addresses and passwords came from a site that had been dormant for several years, according to Sony.
Nintendo disclosed June 5 that one of its servers belonging to its U.S. business unit was hacked, but that no company or customer information was compromised. The incident also didn’t cause any damages to its operations or inconveniences for its customers. The Nintendo hack couldn’t have come at a worse time for the company, as it gears up for the launch of a new online service for its 3DS handheld gaming systems June 7. Nintendo 3DS users will be able to buy and download games, including some classic titles, from the Nintendo e-Shop.
LulzSec posted what it claimed was a “server-configuration file” obtained from the compromised server. “Just for fun while we at LulzSec warm up,” the group posted on Twitter, adding the group “made it clear that we didn’t mean any harm” against Nintendo.
The group hinted on Twitter at more attacks to come. “There will be bigger targets, there will be more ownage,” LulzSec tweeted June 4.