Hackers used a SQL injection flaw to inject malicious code into the Greek Sony BMG site.
Articles by Kara Reeder
The incident happened for two reasons: The contractor forgot to encrypt the email and the software in place to catch such errors did not work properly.
The virus attempted to send personal information like names, addresses and Social Security numbers to criminals, but it is not clear if or how much data was successfully stolen.
The exploit, according to Vupen, "bypasses all security features."
The attack uses Apache's built-in filter capabilities to include links to malicious websites.
Although the virus doesn't install anything to run in the background, it does try to trick users into buying the application via credit card.
The banking and credit card information belonging to more than 23,000 customers of the Sony Online Entertainment network may have been compromised.
Thirteen of the flaws are tagged as critical and one is labeled as low impact.