Officials at MicroSolved, the security services company that was involved in the penetration test that set off concerns about malware-infected CDs being sent to credit unions, have posted a detailed explanation of the technique and how it turned into a national news story.
In short, the technique worked exactly as it was designed to, with the small exception of the person inside the credit union who was responsible for the penetration test being on vacation the day that the CDs arrived in the mail. So another employee found the CDs, called the national Credit Union Administration to report it, leading to the NCUA’s fraud alert.
Upon our contact with the CU, the entire situation became apparent and we quickly identified how the process had proceeded. The employee of the CU had followed the process, just as they should, and alerted the proper authorities to the potential for fraud. We immediately contacted the NCUA Fraud hotline and explained that the process was a part of a standard penetration test. Eventually, we talked with executive management of NCUA and offered them any information they desired, including the source code to the tools on the CDs. The NCUA was wonderful to work with, understood the situation and seemed appreciative of our efforts to help ensure that their members were meeting the requirements of NCUA 748, which calls for the protection of member data against illicit access, including social engineering attacks like these.
The post explains the company’s testing methodology, which often includes these kinds of social engineering attacks, something that has proven to be very effective against a variety of targets over the years.