The problem with this article's title is that it was not a phishing attack.
Note that the article says virus-like, the following is an excerpt from an article attributed to the LA Times. Reportedly someone planted a harvesting programme which is virus like in the sense that it operates stealthily but may not be like a virus in how it propagates.
By Joseph Menn Los Angeles Times
The largest reported breach of personal data, hackers infiltrated the computers at a credit card processing center and stole as many as 40 million card numbers, it was disclosed Friday.
MasterCard International said card numbers and expiration dates were harvested by a rogue program planted inside the computer network at CardSystems, one of the low-profile companies that process merchant requests for credit-card authorization. When a retailer swipes a customer's card, the information goes to companies such as CardSystems for approval before getting passed along to banks.
At least 68,000 accounts have had fake charges posted to them, said MasterCard Vice President Linda Locke. Most credit card companies reverse fraudulent charges that are reported to them. Social Security numbers or other items of personal information were not taken.
The attack exposed the numbers of 13.9 million MasterCards and an unknown number of other brands of cards, including American Express. Atlanta-based CardSystems processes $15 billion in charges annually for MasterCard, Visa, American Express, Discover and other cards. Officials at Visa did not return a call seeking comment.
"I think all four (of the major card issuers) will be tainted," said Chris Hoofnagle, west coast director of the Electronic Privacy Information Center. "This is the biggest security breach by far." Hackers and identity thieves trade and sell pilfered credit card numbers in online chat rooms, making it relatively easy for a single big theft to affect thousands of cards quickly. MasterCard, which uncovered the incursion, would not divulge the dollar amount of the fraud uncovered so far or say when the improper charges began.
"Several banks reported atypical patterns of fraud (this week)," Locke said. With the help of security company CyberTrust , she said, "We traced disparate patterns of fraud back to CardSystems." After examining the computers there, she said, "We believe that a hacker intruded and installed some malicious code that captured card information." The FBI is investigating. MasterCard said CardSystems hadn't been using industry safeguards at its Tucson, Ariz., processing center, suggesting to analysts that the numbers had not been encrypted. CardSystems did not return phone calls seeking comment.
================================
The statement from the processor follows, though there is precious little detail.
Statement from CardSystems Solutions, Inc.
(June 17, 2005)
CardSystems Solutions, Inc., identified a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident. CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security.
Since that time, concurrent to the investigation proceedings, CardSystems is completing the installation of enhanced/additional security procedures recommended by the security assessor involved in the investigation.
We understand and fully appreciate the seriousness of the situation. Our customers and their customers are our lifeblood. We are sparing no effort to get to the bottom of this matter. Our goal is to cooperate fully with the FBI to complete the investigation and ensure that we do nothing that might compromise the investigation.