Financial institutions vulnerable to phishing-by-CD, says security report

The National Credit Union Administration this week issued an alert warning credit unions of an innovative form of scareware that utilizes traditional postal mail and a piece of malware that the user actively installs.

Some NCUA member credit unions have reportedly received letters that claimed to be from the NCUA which contained CDs of important "training materials" that would help inform users about phishing scams. Running the discs, naturally, loaded up credit union computers with a bunch of malware.

Kaspersky Labs said the letters themselves read like phishing scam e-mails rife with grammatical and spelling errors.

For example: "The NCUA has warned numerous times about 'phishing' scams in which crooks send e-mails claiming to be from legitimate financial institutions, companies, or government agencies asking consumers to 're-submit' or 'verify' confidential information such as bank accounts, Social Security Numbers, passwords, and personal identification numbers...Please read the included document, as it contains important training and informational material regarding the risks of fraud..."

Brent Huston from security assessment company Microsolved came forward, saying this physical scareware was part of an authorized penetration test that was not intended to be made public through the NCUA.

"The person responsible for the penetration test was out the day the letter arrived," Huston said today. "The receiver of the letter followed their incident response process and reported the suspicious activity to the NCUA Fraud Hotline, just as they are supposed to do...The employee of the credit union had followed the process, just as they should, and alerted the proper authorities to the potential for fraud. We immediately contacted the NCUA Fraud hotline and explained that the process was a part of a standard penetration test. Eventually, we talked with executive management of NCUA and offered them any information they desired, including the source code to the tools on the CDs."

"However, in typical Internet fashion, the story had already taken on a life of its own. The next thing we know, the press is picking up the story, there's an article on Slashdot and people are in alert mode," Huston continued. "We then set about trying to calm folks down and such on Twitter, through e-mail and such. The bottom line here is this: This was a controlled exercise in which the process worked. The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement."