Internet phishers convinced members at Y-12 FCU to give out their account numbers and PINs last week which were used to steal thousands of dollars from member accounts.
The phishers apparently found a security hole in the Microsoft Windows Metafile, which allowed them to break into websites all over the world, including Y-12's. The hole was discovered on Dec. 27 and patched on Jan. 8, according to Chris Smith, vice president of marketing and e-commerce at the $365 million credit union.
"The hackers pretty much had a free run into the Microsoft system and they used the hole to get into our website," said Smith. They used the credit union's site to present their own phony web page, which asked members for personal information. The phony webpage was traced to Greece, he said.
As a result, the phishers were able to collect personal information, including credit card numbers and PINs, from several credit union members.
The information was used to manufacture phony credit cards, which were then used to withdraw cash from ATMs in foreign countries, including Pakistan.
Transaction records at the credit union show that the information was stolen between 7 p.m. Monday, Jan. 9 and 8:30 p.m. the same night when the credit union discovered the activity and took the website down.
The overseas thieves were apparently able to manufacture the cards' magnetic strips and create phony credit cards, then go to ATMs and withdraw cash, all within that short period, according to Smith. "There was about a 90-minute window for them to do damage," he said.
As of last week, at least 17 members reported their accounts had been compromised and the thieves had used the information to steal at least $70,000.
Credit union officials were alerted to the theft of the information by members, said Smith. "We rely on the member to tell us. That's the only way we know," he said.
The credit union is working with the FBI on the case.
