Cybercriminals have hacked pages of the US Sony PlayStation Web site, leaving gamers open to malware infection and tricking them into handing over their card account details.
IT security outfit Sophso says hackers used a SQL injection attack to plant unauthorised code on pages promoting the PlayStation games "SingStar Pop" and "God of War".
The code runs a fake anti-virus scan, telling surfers that their computer is infected with viruses and Trojan horses.
The fraudsters then encourage victims to to enter their credit card details to buy a bogus security product.
The Sony site - which has now been fixed - is just one of many targeted by the attack, with over a million pages affected, says Sophos.
Others hit by the SQL injection attack include Brazilian and Chinese government sites, the South African Flooring company, a pond supply firm in Canada and a liquor store in Massachusetts.
Sophos also warns that whilst the attack currently just tries to dupe surfers into buying worthless software, hackers could easily alter the payload so that it becomes more malicious and install code designed to turn Windows PCs into a botnet or to harvest confidential information.
Graham Cluley, senior technology consultant, Sophos, says: "If users do not have sufficient protection in place then they might find that before they know it they have been scared into handing their credit card details over to a bunch of cybercriminals."