OAK RIDGE, Tenn. – Hackers attacked the $364 million Y-12 FCU's Web site and managed to obtain the credit card and personal identification numbers of between 17 and 24 members. The attack began on Jan. 9, 2006 at about 7:00 p.m. Unlike usual phishing attacks which use e-mail to try to direct members to a fake look-alike credit union Web site where they are asked for personal information, this attack involved a hack of the CU's own Web site. Therefore, when members went to the site and logged in, they were taken to the fake CU Web site, according to Chris Smith, CEO of Y-12. "This was a sophisticated wrinkle on the familiar phishing scam which was brought about by a weakness in Microsoft's software which hackers figured out a way to exploit," Smith said. Smith said that the software giant first became aware of the weakness on Dec. 27, 2005 but that there was no patch available until Jan. 6. Y-12 received the patch on Jan. 6 in the evening and then had to test it before applying it to all its systems, Smith said. "We were just a few hours too late getting it into place." Smith praised alert CU members who suspected something was wrong when the CU appeared to ask them for their PINs, something it had promised it would never do. Their notification to the CU that something was wrong allowed Y-12 to pull its site down and stop the fraud in only 90 minutes, Smith said. [email protected]