The latest reports of this apparent cyberspy activity come from security experts at Shadowserver.org, a nonprofit that tracks malware attacks typically associated with so-called “advanced persistent threat” (APT) actors. APT is a controversial term that means many things to different folks, but even detractors of the acronym’s overuse acknowledge that it has become a useful shorthand for “We’re pretty sure it came from China.”

One look at the list of the sites found to be currently serving an exploit to attack a newly-patched Adobe Flash Player vulnerability (CVE-2012-0779) shows how that shorthand is earned. Shadowserver uncovered Flash exploits waiting for visitors of the Web sites for Amnesty International Hong Kong and the Center for Defense Information, a Washington, D.C. think-tank. The home page for the International Institute for Counter-Terrorism was found to be serving up malware via a recent Oracle Java vulnerability (CVE-2012-0507), while the Cambodian Ministry of Foreign Affairs site was pointing to both Flash and Java exploits.

“In recent months we have continued to observe 0-day vulnerabilities emerging following discovery of their use in the wild to conduct cyber espionage attacks,” wrote Shadowserver volunteers Steven Adair and Ned Moran, in a blog post about the attacks, which they dubbed “strategic Web compromises.”

“Frequently by the time a patch is released for the vulnerabilities, the exploit has already been the wild for multiple weeks or months — giving the attackers a very large leg up,” they wrote. “The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in.”

The discoveries come just days after security vendor Websense found that the site for Amnesty International United Kingdom (AIUK)  was hosting the same Java exploit. According to Shadowserver, other sites that were compromised by remarkably similar attacks but since cleaned include those belonging to the American Research Center in Egypt, the Institute for National Security Studies, and the Center for European Policy Studies.

Shadowserver experts believe that many of the attacks above are likely the work of the same hacking group. For example, Adair and Moran said they found “a clear connection” between the hackers who compromised the AIUK site in this incident and a separate attack on the same site in December 2011, a break-in first reported by KrebsOnSecurity.com. Some of the common elements in the attacks include identical Internet addresses and files (down to the same internal metadata) used in different attacks.

Adair and Moran also called attention to targeted attacks that leverage the Flash flaw (CVE-2012-0779) via Microsoft Word documents, which have the built-in ability to invoke Flash objects. Mila Parkour, the author of the Contagiodump blog, on May 6 published an exhaustive look at just such an attack.

Microsoft’s May patch batch includes fixes for vulnerabilities that could be exploited via Web browsing, file-sharing, or email. Eight of the 23 flaws earned Microsoft’s “critical” rating, meaning no user interaction is required for vulnerable systems to be hacked. At least three of the flaws were publicly disclosed before today.

According to Microsoft, the two updates are the most dire: The first is one related to a critical flaw in Microsoft Word (MS12-029); the second is an unusually ambitious update that addresses flaws present in Microsoft Office, Windows, .NET Framework and Silverlight. In a blog post published today, Microsoft explained why it chose to patch all of these seemingly disparate products all in one go. But the short version is that Microsoft is addressing the ghost of Duqu, a sophisticated malware family discovered last year that was designed to attack industrial control systems and is thought to be related to the infamous Stuxnet worm. A patch Microsoft issued last year addressed the underlying Windows vulnerability exploited by Duqu, but the company found that the same vulnerable code resided in a slew of other Microsoft applications.

eparately, Adobe has issued an update for its Shockwave Player. Adobe recommends that users of Adobe Shockwave Player 11.6.4.634 and earlier for Windows and Macintosh update to Adobe Shockwave Player 11.6.5.635. Fixes are available for Windows and Mac systems, from this link. Windows users can tell if they have Shockwave installed by checking for an entry for the program in the Add/Remove Programs listing from the Windows Control Panel. If you don’t already have this program, I’d recommend keeping it that way. I seem to have gotten along fine without it for several years now, and going without it just means one less buggy application to patch.

Regular readers of this blog may be unsurprised to learn that this is another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that serve up malware and browser exploits.

At the very least, a decent iFramer service will allow customers to verify large lists of file transfer protocol (FTP) credentials used to administer hacked Web sites, scrubbing those lists of invalid credential pairs. The service will then upload the customer’s malware and malicious scripts to the hacked site, and check each link to ensure the trap is properly set.

A huge percentage of malware in the wild today has the built-in ability to steal FTP credentials from infected PCs. This is possible because people who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials.

Some services, like the one offered at iframeservice.net (pictured above and at left), offer a menu of extras to help customers maintain their Web-based minefields. Iframeservice.net attempts to gain a more permanent foothold on all sites for which it is given FTP credentials, testing the sites for additional security vulnerabilities (root exploits) that may grant administrative privileges on the site’s Web server.

This service also promises to help customers stay one step ahead of antivirus companies, by monitoring URL blacklists and generating customer alerts when boobytrapped pages get flagged as malicious. In addition, it offers the automated ability to obfuscate the true destination of malicious links as a way to confuse both antivirus scanners and the legitimate administrators of the hacked sites.

A recent compromise I helped a friend deal with reminds me of a stubborn fact about hacked sites that seems relevant here. Just as PC infections can result in the theft of FTP credentials, malware infestations also often lead to the compromise of any HTML pages stored locally on the victim’s computer. Huge families of malware have traditionally included the ability to inject malicious scripts into any and all Web pages stored on host machine. In this way, PC infections can spread to any Web sites that the victim manages when the victim unknowingly uploads boobytrapped pages to his Web site.

Obviously, the best way to avoid these troubles is to ensure that your system doesn’t get compromised in the first place. But if your computer does suffer a malware infection and you manage a Web site from that machine, it’s good idea to double check any HTML pages you may have stored locally and/or updated on your site since the compromise, and to change the password used to administer your Web site (using a strong password, of course).

Security experts have been warning for months about mysterious attacks on OpenX installations in which the site owners discovered new rogue administrator accounts. That access allows miscreants to load tainted ads on sites that rely on the software. The bad ads usually try to foist malware on visitors, or frighten them into paying for bogus security software.

OpenX is only now just starting to acknowledge the attacks, as more users are coming forward with unanswered questions about the mysteriously added administrator accounts.

This problem first came to my attention after I read a blog post by infosec researcher Mark Baldwin, who wrote late last month about finding an unauthorized administrative account called “openx-manager” on one of his clients’ OpenX 2.8.8 installations, the latest version. After much investigation, Baldwin found that the rogue admin account was created virtually at the same instant that he’d last logged in to the customer’s OpenX installation.

Based on these and other findings documented in his blog, Baldwin concluded that OpenX 2.8.8 contains an unpatched flaw known as a cross-site request forgery (CSRF) vulnerability. These types of flaws can be especially sneaky because they are used to trick the victim into loading a page that contains a malicious request. CSRF attacks are most often used to force an end user to execute unwanted actions on a Web application in which he/she is currently authenticated, such as purchasing an item, or adding/deleting account information.

Baldwin told me he believes the attackers were able to add the rogue admin account to his client’s OpenX installation because OpenX contains a CSRF vulnerability that allows such actions.

“When you login to the OpenX application, an ad loads via an iframe on the right side of the dashboard,” Baldwin said in an interview with KrebsOnSecurity. “OpenX uses this to promote different products of theirs (currently OpenX Market). This iframe makes calls to d1.openx.org and most importantly, loads some Javascript. This is important because the only way the CSRF attack would be able to create a new user is via javascript, since that action uses the POST method. The IP address of d1.openx.org is 173.241.250.2 and the address of adserver.openx.org is 173.241.250.3. For all I know these may be the same servers. My belief is that these systems were compromised and the Javascript was modified to inject the rogue admin account via the iframe in the dashboard. So when an administrator logs in, the account would be created without any interaction from him.”

I confronted OpenX officials about this on Monday. In a very brief phone call today, company executives declined to discuss the attacks in detail, but acknowledged the existence of a CSRF vulnerability in the software that powers both their free and enterprise advertising platforms. OpenX Chief Technology Officer Michael Todd said the company would soon be publishing instructions on its blog outlining steps that users can take to prevent attackers from taking advantage of this flaw, and that it hoped to roll out an official fix for its OpenX Source product, which is the free version of the platform offered to anyone who wishes to host their own digital advertising services.

“What we’re going to do early next week — on Monday or Tuesday — is release a new version of OpenX for people to download as soon as possible,” Todd said. “We’re taking an extra few days to make sure that this gets done correctly and that we’re doing all the testing we need to do before we push that out. But first, we’ll publish a mitigation post that will tell people how they can change their systems,” to mitigate the threat, he said.

OpenX’s head of communications, Al Duncan, inexplicably cut the interview short after I’d asked just two questions, so I was unable to gain clarity on other aspects of this attack, such as whether OpenX’s internal systems may have been abused in the compromises, and how long the company has been aware of the problem. I also wanted to know more about how this vulnerability differed from a similar CSRF flaw in OpenX v. 2.8.7 that was disclosed in June 2011 by researcher Narendra Shinde.

It’s unclear whether the CSRF flaw detailed by Shinde is effectively the same bug that exists in this latest version. But the attackers targeting these flaws appear to have used the same name for the rogue admin account that Baldwin discovered on his client’s OpenX installation: “openx-manager.”

Until OpenX publishes its blog post, users and customers of this product should consider reviewing the mitigation advice offered at Baldwin’s blog.

For more background on this subject, see OpenX forum posts from Nov. 2011, January 2012,  March 2012, and April 2012. Internet security firms Armorize and Sophos also have been sounding the alarm about these attacks.

Seven of the 11 bugs Microsoft fixed with today’s release earned its most serious “critical” rating, which Microsoft assigns to flaws that it believes attackers or malware could leverage to break into systems without any help from users. In its security bulletin summary for April 2012, Microsoft says it expects miscreants to quickly develop reliable exploits capable of leveraging at least four of the vulnerabilities.

Among those is an interesting weakness (MS12-024) in the way that Windows handles signed portable executable (PE) files. According to Symantec, this flaw is interesting because it lets attackers modify signed PE files undetected.

“In addition, the attacker doesn’t need to worry about controlling memory; once the user runs the content, the device has been infected,” wrote John Harrison, group product manager for Symantec Security Response. “The most common attack will probably be a scenario in which a site offers a free download of a specific program that appears to be legitimately signed.”

Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys, is particularly worried about MS12-027, because the weakness spans an unusually wide range of Microsoft products. Microsoft agrees, calling this patch the highest priority security update this month.

“What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime,” Kandek said. “Attackers have been embedding the exploit for the underlying vulnerability (CVE-2012-0158) into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.”

Other notable fixes from Microsoft this month include a .NET update, and a patch for at least five Internet Explorer flaws. Patches are available for all supported versions of Windows, and available through Windows Update.

Adobe’s updates fix critical problems in Acrobat and Reader on all supported platforms, including Windows, Mac OS X, and Linux. Users on Windows and Mac can use each products’ built-in update mechanism. The newest, patched version of both Acrobat and Reader is v. 10.1.3 for Windows and Mac systems. The default configuration is set to run automatic update checks on a regular schedule, but update checks can be manually activated by choosing Help > Check for Updates. Reader users who prefer direct links to the latest version can find them by clicking the appropriate OS, Windows, Mac or Linux (v. 9.5.1).

Since the discovery last week of the Flashback Mac botnet, several security firms have released tools to help detect and clean up Flashback infections. Dr.Web, the Russian antivirus vendor that first sounded the alarm about the outbreak, has published a free online service that lets users tell whether their systems have been seen phoning home to Flashback’s control servers (those servers have since been hijacked by researchers). The service requires users to enter their Mac’s hardware unique user ID (HW-UUID), because this is how the miscreants who were running the botnet kept track of their infections.

F-Secure Corp., the Finnish security firm that worked with Dr.Web to more accurately gauge the true number of Flashback-infected Macs, has a Flashback Removal Tool available for download from its Web site.

Where is Apple’s response in all of this, you ask? Apple says it is developing software that will detect and remove Flashback. Inexplicably, it has not yet released this tool, nor has it added detection for it to the XProtect antivirus tool built into OS X. The company’s advisory on this threat is predictably sparse, and focuses instead on urging users to apply a recent update for Java. Flashback attacks a well-known Java flaw, but it’s worth noting that Apple released the Java patch only after Flashback had begun infecting hundreds of thousands of Macs.

Apple just released a new version of Java that includes a Flashback remover. Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion. It includes no new security fixes, but it adopts a novel approach to the debate over whether to temporarily disable or remove Java: “It configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application.” If the Java web plug-in detects that no applets have been run for at least 35 days, it will again disable Java applets.

In its advisory, Apple said it “is working with ISPs worldwide to disable the command and control network” that criminals were using to direct the activities of the Flashback botnet. But Apple’s actions speak much louder than words. Forbes’ Andy Greenberg published a fascinating piece on Wednesday showing that when it comes to working with the security community, Apple is still a bit like a spoiled toddler who hasn’t yet learned to play nice with other children in the sandbox.

On the issue of security in general, Apple appears to still have its head firmly planted in the sand: F-Secure notes that Apple still has not shipped an update that fixes this Java flaw on OS X 10.5 (or earlier), even though 16 percent of all all Macs still run this OS.

While Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. If you have Java but no longer need it, get rid of it. If you need Java on your Mac only for a specific application (such as OpenOffice), you can unplug it from the browser by disabling its plugin. In Safari, this can be done by clicking Preferences, and then the Security tab (uncheck “Enable Java”). In Google Chrome, open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing. In Mozilla Firefox for Mac, click Tools, Add-ons, and disable the Java plugin(s).

The update, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507) that miscreants recently rolled into automated exploit kits designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan to infect large numbers of Mac computers with malware.

The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs, most which it said were U.S. based systems (hat tip to Adrian Sanabria). Dr.Web’s post is available in its Google translated version here.

Flashback is an increasingly sophisticated malware strain that sniffs network traffic in search of user names and passwords. Early versions of it prompted Mac users to enter their password before it would run, but the most recent strains will happily infect vulnerable Mac systems without requiring a password, writes Ars Technica, among others. F-Secure has additional useful information on this Trojan attack here.

As Ars notes, although Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. If you need Java on your Mac only for a specific application (such as OpenOffice), you can unplug it from the browser by disabling its plugin. In Safari, this can be done by clicking Preferences, and then the Security tab (uncheck “Enable Java”). In Google Chrome, open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing. In Mozilla Firefox for Mac, click Tools, Add-ons, and disable the Java plugin(s).

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.

Smart meters are intended to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. Smart grid technology also holds the promise of improving a utility’s ability to remotely read meters to determine electric usage.

But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet.

Sometime in 2009, an electric utility in Puerto Rico asked the FBI to help it investigate widespread incidents of power thefts that it believed was related to its smart meter deployment. In May 2010, the bureau distributed an intelligence alert about its findings to select industry personnel and law enforcement officials.

Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert states.

The FBI believes that miscreants hacked into the smart meters using an optical converter device — such as an infrared light — connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the Internet.

“The optical converter used in this scheme can be obtained on the Internet for about $400,” the alert reads. “The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact.”

The bureau also said another method of attacking the meters involves placing a strong magnet on the devices, which causes it to stop measuring usage, while still providing electricity to the customer.

This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company.

Each method causes the smart meter to report less than the actual amount of electricity used.  The altered meter typically reduces a customer’s bill by 50 percent to 75 percent.  Because the meter continues to report electricity usage, it appears be operating normally.  Since the meter is read remotely, detection of the  fraud is very difficult.  A spot check of meters conducted by the utility found that approximately 10 percent of meters had been altered.

“The FBI assesses with medium confidence that as Smart Grid use continues to spread throughout the country, this type of fraud will also spread because of the ease of intrusion and the economic benefit to both the hacker and the electric customer,” the agency said in its bulletin.

The feds estimate that the Puerto Rican utility’s losses from the smart meter fraud could reach $400 million annually. The FBI didn’t say which meter technology or utility was affected, but the only power company in Puerto Rico with anywhere near that volume of business is the publicly-owned Puerto Rican Electric Power Authority (PREPA). The company did not respond to requests for comment on this story.

The hacks described by the FBI do not work remotely, and require miscreants to have physical access to the devices. They succeed because many smart meter devices deployed today do little to obfuscate the credentials needed to change their settings, said according to Tom Liston and Don Weber, analysts with InGuardians Inc., a security consultancy based in Washington, D.C.

Liston and Weber have developed a prototype of a tool and software program that lets anyone access the memory of a vulnerable smart meter device and intercept the credentials used to administer it. Weber said the toolkit relies in part on a device called an optical probe, which can be made for about $150 in parts, or purchased off the Internet for roughly $300.

“This is a well-known and common issue, one that we’ve warning people about for three years now, where some of these smart meter devices implement unencrypted memory,” Weber said. “If you know where and how to look for it, you can gather the security code from the device, because it passes them unencrypted from one component of the device to another.”

The two researchers were slated to demo their smart meter hacking tools at the Shmoocon security conference earlier this year, but agreed to pull the presentation at the last minute at the request of several vendors and utilities that they declined to name.

“It turns out that the vendor has a consortium of utility customers with whom they have regular conference calls,” Weber said. “Several of the utilities in this group had a concern about the information becoming public. Luckily we have worked with several of the utilities in the group. We have been able to stem the fears of all but one utility. We hope to have
them on board very soon.”

Liston said utilities have become accustomed to deploying meters that can last 30 years before needing to be replaced, but that the advanced interactive components being built into modern smart meters requires a much more thoughtful and careful approach to security.

“Traditionally, metering technology has been very cost effective, because much of it is very resilient. But these older devices didn’t have a lot of technology in them, and they certainly didn’t have wireless connections and things like memory storage,” Liston said. “The utilities are still expecting the lifecycle of newer pieces of equipment to be 2o to 30 years, and they’re just coming to the realization that some of new stuff deployed is not going to last nearly that long.”

Robert Former, a security engineer at smart meter manufacturer Itron, said he hopes that researchers continue to push the industry toward adopting technologies that can withstand these and potentially other, as-yet-undiscovered attacks.

In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.

Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area.

It’s not clear how many cards were breached in the processor attack, but a sampling from one corner of the industry provides some perspective. On Wednesday, PSCU — a provider of online financial services to credit unions — said it alerted 482 credit unions that appear to have had cards impacted by the breach, and that a total of 56,455 member VISA and MasterCard accounts were compromised. PSCU said fraudulent activity had been detected on a relatively small number of those cards — 876 accounts — and that the activity was geographically dispersed.

Atlanta-based processor Global Payments just confirmed that they discovered a breach in early March 2012. See their full statement and several other updates at the end of this story.

VISA just issued the following statement in response to this story:

“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet.

Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.

It’s important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa’s zero liability fraud protection policy, which exceeds federal safeguards. As always, Visa encourages cardholders to regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity. Additional consumer security tips are available at www.VisaSecuritySense.com.

Every business that handles payment card information is expected to protect the security and privacy of their customers’ financial information by adhering to the highest data protection standards. Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.”

The Wall Street Journal is reporting that the breached processor was Global Payments Inc., which processes credit and debit cards for banks and merchants. Prior to the publication of this blog post, I had heard this name from one source, but did not include it in my story because I could not get confirmation from a second source. Global Payments has not returned calls seeking comment. CNN is reporting that the company’s stock (GPN) fell 9 percent today before trading was halted on its shares.

Also am hearing that law enforcement investigators believe that this breach may be somehow connected to Dominican street gangs in and around New York City. This comes from two reliable sources.

Additionally, sources are reporting that the bulk of the fraudulent activity appears to be centering around commercial credit and debit cards (those issued to businesses). More updates as this story develops.

Gartner fraud analyst Avivah Litan adds a bit more perspective to this story, saying the people she is talking to with knowledge of the situation say they are “seeing signs of the breach mushroom.”

Atlanta based processor Global Payments just confirmed the breach via press release. It promised to release more details in a conference call with investors on Monday morning. Their full statement is below:

“Global Payments Inc. (NYSE: GPN), a leader in payment processing services, announced it identified and self-reported unauthorized access into a portion of its processing system.  In early March 2012, the company determined card data may have been accessed.  It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact.  The company is continuing its investigation into this matter.

“It is reassuring that our security processes detected an intrusion.  It is crucial to understand that this incident does not involve our merchants or their relationships with their customers,” said Chairman and CEO Paul R. Garcia.

In a press release issued 9:30 p.m. ET Sunday, Atlanta based Global Payments Inc. said it believes “the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported…Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained. ”

It remains unclear whether there are additional accounts beyond these 1.5 million that were exposed by the breach; the company’s statement seems to be focusing on the number of cards it can confirm that thieves offloaded from its systems.

It’s also unclear how Global Payments’ timeline of the incident meshes with that of MasterCard and Visa. In an alert sent to card-issuing banks that was first reported early Friday by KrebsOnSecurity.com, the card associations said the window of vulnerability for the breached processor (at that time unnamed) was between Jan. 21, 2012 and Feb. 25, 2012. The alert also said that full Track 1 and Track 2 data was exposed, meaning thieves could use the stolen information to counterfeit new cards.

Yet, in a statement Friday, Global Payments said its own security systems identified and self-reported the breach, which it said was detected in early March 2012: “It is reassuring that our security processes detected an intrusion,” the company said.

In its follow-up statement Sunday, the company mentioned only that “Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals.” (For more info on the data contained on Track 1 and Track 2, see this explainer).

In any event, The Wall Street Journal is reporting that Visa took the step over the weekend of distancing itself from Global Payments, by removing the company from its list of those it considers to be compliant service providers. That list is huge, and is available here (PDF).

At the same time, a technical glitch affecting the Visa network barred some people around the United States from using their credit and debit cards for about 45 minutes on Sunday. Visa told The Associated Press that the outage was caused by an update it made to its system, but that the problem was unrelated to the Global Payments breach.

The apparent discrepancy over the timeline of the Global Payments breach and the means by which it was discovered and reported leaves several unanswered questions: Was the initial alert by Visa and MasterCard that prompted this story related to a separate breach? If so, was Global Payments involved?