The problem with this article's title is that it was not a phishing attack.
Note that the article says virus-like, the following is an excerpt
from an article attributed to the LA Times. Reportedly someone planted
a harvesting programme which is virus like in the sense that it
operates stealthily but may not be like a virus in how it propagates.
By Joseph Menn
Los Angeles Times
The largest reported breach of personal data, hackers infiltrated the
computers at a credit card processing center and stole as many as 40
million card numbers, it was disclosed Friday.
MasterCard International said card numbers and expiration dates were
harvested by a rogue program planted inside the computer network at
CardSystems, one of the low-profile companies that process merchant
requests for credit-card authorization. When a retailer swipes a
customer's card, the information goes to companies such as CardSystems
for approval before getting passed along to banks.
At least 68,000 accounts have had fake charges posted to them, said
MasterCard Vice President Linda Locke. Most credit card companies
reverse fraudulent charges that are reported to them. Social Security
numbers or other items of personal information were not taken.
The attack exposed the numbers of 13.9 million MasterCards and an
unknown number of other brands of cards, including American
Express. Atlanta-based CardSystems processes $15 billion in charges
annually for MasterCard, Visa, American Express, Discover and other
cards. Officials at Visa did not return a call seeking comment.
"I think all four (of the major card issuers) will be tainted," said
Chris Hoofnagle, west coast director of the Electronic Privacy
Information Center. "This is the biggest security breach by far."
Hackers and identity thieves trade and sell pilfered credit card
numbers in online chat rooms, making it relatively easy for a single
big theft to affect thousands of cards quickly. MasterCard, which
uncovered the incursion, would not divulge the dollar amount of the
fraud uncovered so far or say when the improper charges began.
"Several banks reported atypical patterns of fraud (this week)," Locke
said. With the help of security company CyberTrust , she said, "We
traced disparate patterns of fraud back to CardSystems." After
examining the computers there, she said, "We believe that a hacker
intruded and installed some malicious code that captured card
information." The FBI is investigating. MasterCard said CardSystems
hadn't been using industry safeguards at its Tucson, Ariz., processing
center, suggesting to analysts that the numbers had not been
encrypted. CardSystems did not return phone calls seeking comment.
================================
The statement from the processor follows, though there is precious
little detail.
Statement from CardSystems Solutions, Inc.
(June 17, 2005)
CardSystems Solutions, Inc., identified a potential security incident
on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the
Federal Bureau of Investigation. Subsequently, the VISA and MasterCard
Card Associations were notified to alert them of a possible security
incident. CardSystems immediately began a remediation process to
ensure all systems were secure. Additionally, CardSystems immediately
engaged an independent 3rd party to validate systems security.
Since that time, concurrent to the investigation proceedings,
CardSystems is completing the installation of enhanced/additional
security procedures recommended by the security assessor involved in
the investigation.
We understand and fully appreciate the seriousness of the
situation. Our customers and their customers are our lifeblood. We are
sparing no effort to get to the bottom of this matter. Our goal is to
cooperate fully with the FBI to complete the investigation and ensure
that we do nothing that might compromise the investigation.