If you’ve been paying attention to computer security, you already know that spam, viruses, and organized crime have been in bed together for at least a year. The recently-discovered theft of 40 million credit card numbers [edit: originally linked to Yahoo News] illustrates this point clearly:
CardSystems was hit by a virus-like computer script that captured customer data for the purpose of fraud, [MasterCard spokeswoman] Gamsin said. She said she did not know how the script got into the system. The FBI was investigating. (emphasis added)
Given the current porous state of many networks and operating systems, and the general public’s attitude that catching a computer virus is as inevitable as catching a cold, I’d guess it got into the system the same way most spyware does. An email attachment squeaked by the filters. Someone installed a tool that claimed it would make their web access faster. Someone got a well-designed phish, followed the link, and got infected by a backdoor because their browser was behind on security patches. Someone brought a laptop home, plugged it into their insecure home network, and brought back a virus.
Sadly, I expect we’ll be seeing a lot more of this.
Update June 20: Netcraft is reporting that it was indeed lax computer security that did them in:
MasterCard International said it “worked with CardSystems to remediate the security vulnerabilities in the processor’s systems. These vulnerabilities allowed an unauthorized individual to infiltrate their network and access the cardholder data.” Officials at affected institutions were not specifying the vulnerability and exploit used to breach CardSystems’ security. (emphasis added)
Netcraft seems to think it was likely their website, which runs on Windows 2000 and IIS 5, and they go on to promote their own security consulting services. So it’s not entirely an unbiased look at the incident.