The malware-infected CDs that were mailed to some credit unions may have been part of a penetration test designed to gauge whether an employee would run the software. The SANS Internet Storm Center says it was notified by a representative from Microsolved that the mailing was part of an authorized pen test.
The alleged scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. Of course, the CDs are loaded with malware rather than training programs.
The letter contains some of the classic misspellings and miserable grammar often found in phishing emails. An excerpt of the letter:
The NCUA has warned numerous times 1 about “phishing” scams in which crooks send e-mails claiming to be from legitimate financial institutions, companies or government agencies asking consumers to “re-submit” or “verify” confidential information such as bank accounts, Social Security Numbers, passwords, and personal identification numbers…
Please read the included document, as it contains important training and informational material regarding the risks of fraud…
The NCUA has published an advisory about the fake CDs, warning credit union employees not to run the discs.
A federally insured credit union has reported receiving a bogus Letter to Credit Unions, accompanied by two compact discs (CDs). The subject of the fraudulent letter itself is a purported NCUA FRAUD Alert. The letter advises credit unions to review training material (contained on the CDs). DOING SO COULD RESULT IN A POSSIBLE SECURITY BREACH TO YOUR COMPUTER SYSTEM, OR HAVE OTHER ADVERSE CONSEQUENCES.
This kind of attack has been suggested and kicked around in the security community for years, but this is perhaps the first time in recent memory that it has actually surfaced. An interesting point here is that the thieves are targeting credit unions, which tend to be smaller, community-based institutions, rather than larger, more sophisticated banks. Many credit unions have just a handful of branches and may not have the dedicated security staffs that national banks have.
In effect, this is simply an offline extension of the highly targeted spear-phishing attacks that have been plaguing smaller financial institutions for a couple of years. But it’s one that’s potentially effective and damaging.