Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD

redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.

Windows Autorun

The problem here is Windows Autorun. As soon as you insert a CD, Windows checks for the presence of an "autorun.inf" file, and if it exists, it can specify a binary program on the disc to execute immediately, as whatever user is currently logged in. Thus, killing your security immediately.

Re:Windows Autorun

[0123456]

Easily disabled or dismissed.

Uh, no; there are so many different places where autorun is configured in Windows that the average clueless user has no hope of managing to completely disable it. The whole thing is a disaster.

Re:Windows Autorun

[TheCabal]

Any financial institution that deploys a "bare metal" installation of ANY OS without any hardening, be it Windows, Linux or whatever, shouldn't be handling the public's money to begin with and needs to be slapped severely about the face and ears. I wouldn't deploy a stock install of Linux either without spending time hardening it. Anyone who thinks Linux is "Secure by default" has drunk a little too much of the Kool-Aid. Believe me when I say that Windows can be hardened to a point where it is rather difficult to break, and the amount of effort is no more than it takes to harden a Linux distro to a nice standard.

Autorun in a corporate environment? Disabled across the entire network with just a few clicks and refresh of Group Policy.

Another scam

[Orion+Blastar]

like those Emails from Microsoft with attachments that say they are operating system patches you must install to prevent a virus.

Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.

The attached files usually have malware in them.

Microsoft does updates via Windows Update or Microsoft Update or via their web site in downloading patches, they never attach the patches to email.

I also get mail saying I won the UK Microsoft lottery and other BS as well. I am keeping a "Scams" folder for that sort of stuff.

I'd expect Credit Unions to have better sense than to run random CDs on their systems without verifying that the NCUA sent them. "What? We didn't send them to you."

Expect this more in the future

[improfane]

Expect malware to appear or be in the wild already on/in:

• pirated DVDs, the ones with dual film and PC content, like the Pokemon DVDs
• more flash drives
• mp3 players, iPods (using hard drive mode)
• Music CDs, the ones with dual PC and audio player content
• Facebook applications
• second hand routers (Linux routers)
• second hand laptops and computers
• more flash drives
• Windows install CDs
• FireFox plugins
• web development templates
• Packages (deb, rpm whatever), makefiles etc
• PDF files

The more I use my laptop, the more I wish to install a hypervisor on the BIOS (preferably based on Linux CoreBOOT or something) and use it to track my laptop and profit from it if it gets stolen.

Hey if someone steals my laptop, sit and cry?

Re:Expect this more in the future

[rtb61]

At the current price why would anyone bother with second hand routers, switches etc. They would do it with new gear, redo the factory default in a chip programmer and, then offer them at a discount, in the thousands. Especially with countries deeming it appropriate to become involved in large scale computer hacking as intelligence operations and, for the inevitable rogue agents and contractors, a future 'route' to profits.

Re:Hackers can be pen testers

how 'bout you get that stick out yo ass?

Re:Hackers can be pen testers

[rafemonkey]

Man I hear ya... It's just like all those fools calling that box on the desk a computer, when we all know a computer is actually a person who performs computations. Anyway, I gotta jump into the old horseless carriage for a spot of motoring. ;)

Re:Hackers can be pen testers

[Faylone]

I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

Considering that language is just a bunch of grunts(spoken) or squiggles(written) with agreed upon meanings...yes. As long as the meaning the speaker intended is imparted to the listener, they served their purpose.

Re:I actually saw one of these....

[dltaylor]

home-brew apps or off-the-shelf package?

if OTS, whose is it?

Re:Hackers can be pen testers

Your nice little rant there sidestepped the FACT that you INCORRECTLY used the term "begs the question". You used it in a way that DIFFERS from the TRUE DEFINITION, yet has become ACCEPTED into COMMON SPEECH. The irony here is so unbelievable that I must conclude that your whole attitude on this topic is an epic troll, and you don't believe any of the stupid shit you are rabidly babbling about.

Re:I actually saw one of these....

[SL+Baur]

I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

I find it amusing that someone could be found to code up an auto execute function for inserted media. I find it even more amusing that there was a stupid enough manager to sign off on it.

Was Dilbert written at Microsoft?

Don't bother man

[Sycraft-fu]

The GP is just one of many "Banks are evil!" types online. You aren't going to convince them otherwise. They have little understanding of finance and less of banking. Also the reason he's whining is because the USSS was involved. He also doesn't understand that they are responsible for this kind of crime, he thinks the president ordered them on the case because banks are special.

I've debated with the "Use only cash, banks are evil, we need the gold standard!" types and there is just no reasoning with them. You are completely correct about the differences with a credit union, but you aren't going to convince him of it. They are a "bank" and banks are evil and so on.

Re:I actually saw one of these....

[maxume]

If you think interest is unethical, you shouldn't be willing to use government backed currency, as governments often create or destroy money without doing anything to tie that activity to anything real.

(Interest works because the debtor is exchanging future consumption for present day consumption, presumably to their own advantage)