Criminals sending malicious CDs to credit unions

by Steve Ragan - Aug 27 2009, 16:00

Criminals are taking a page from AOL in the 90’s by sending CDs laced with Malware to credit unions, according to an advisory from the National Credit Union Administration (NCUA). The scam is a part of several highly targeted Phishing scams, called Spear-Phishing, that have targeted various finance-based businesses over the years.

Spear-Phishing is exactly like Phishing. The goal is to steal information, which can be sold or used in a way to victimize a business or individual further. However, the main difference is that normal Phishing attacks can blindly target thousands of people or businesses at a time, Spear-Phishing attacks target a single source or group.

For example, in April of 2008, there was a Spear-Phishing attack aimed at CEOs. The CEO campaign sent emails that were reported to be federal subpoenas. The CEOs were asked to click a link and download case history related materials and other information. The problem is that there was no case, and the links and downloaded materials were all malicious. The following May, VeriSign reported that over 2,000 Spear-Phishing victims were targeted and later compromised by emails pretending to come from the IRS, U.S. Tax Court, and the BBB.

The recent Spear-Phishing job targeting credit unions starts with a letter that claims to originate from the NCUA itself.

“The NCUA has warned numerous times 1 about “phishing” scams in which crooks send e-mails claiming to be from legitimate financial institutions, companies, or government agencies asking consumers to “verify” or “re-submit” confidential information such as bank account and credit card numbers, Social Security Numbers, passwords, and personal identification numbers,” the fraudulent NCUA letter starts.

“A variant of that approach using telephone systems, vishing, is increasingly being used to obtain this information from unwary consumers. Please read the included document, as it contains information training and information material regarding the risks of fraud, “phishing”, “vishing”, and ways to protect your member’s and your Credit Union’s assets.”

The letter comes with CDs, which are said to contain the training materials. However, all that is on these disks is malicious software.

“A federally insured credit union has reported receiving a bogus Letter to Credit Unions, accompanied by two compact discs (CDs). The subject of the fraudulent letter itself is a purported NCUA FRAUD Alert. The letter advises credit unions to review training material (contained on the CDs). Doing so could result in a possible security breach to your computer system, or have other adverse consequences,” reads the NCUA warning to its members.

While Spear-Phishing is nothing new, this might be the first time criminals have started mailing Malware to victims.

Around the Web