Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD

Posted by timothy on from the please-avoid-mine dept.

redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.

6 of 205 comments (clear)

  1. Re:I actually saw one of these.... by Shakrai · · Score: 5, Interesting

    The backend software package used by this particular credit union actually runs on Linux and Oracle. All but one of the workstations run Linux too. The holdout is a Windows 2000 machine that they keep around for some legacy software that they haven't been able to replace. The tellers don't even realize it's Linux because they are locked into the interface for the management system and can't navigate out of it. The loan officers can navigate out of it but the only other applications they have access to are Open Office and a handful of white-listed websites (webmail, credit scoring and a few compliance sites).

    That's actually how I got the gig -- I was the only local person who responded to the CEOs bid who had a meaningful amount of Linux experience. He inherited the platform from his predecessor and wasn't inclined to spend the money to migrate to something else. AFAIK the vendor for his software doesn't even offer a Windows server option, although they do have a Windows option for the clients. They had previously used this option until I showed them how much they were spending on software licenses.

    I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  2. Re:I actually saw one of these.... by Shakrai · · Score: 5, Interesting

    That really depends on the credit union and how they conduct their business. I just bought a bunch of 10 month CDs from my credit union at 2.75% They run a promotion every year offering a "special" CD rate and it's always been extremely competitive. I couldn't even match this particular offer at the online only banks like ING Direct.

    Their standard rates are competitive with the other local brick and mortar institutions. They might get beaten by a few of the big boys and the online-only institutions but the flip side to that is that none of those institutions can even come close to the loan rates offered by my credit union.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  3. Wait, I've heard this one before. by rayd75 · · Score: 5, Interesting

    In fact, I've used it. Until last year I worked for a credit union and frequently described a scenario almost exactly like this to justify things like a least-privilege security model for end users. It's scary to consider what an attacker might be able to accomplish with a scheme like this. The article only touches the surface in pointing out that credit unions are typically smaller than banks and lack security resources. Mine was one of the largest and probably the most technologically progressive credit union in my state but I had a lot of interaction with smaller credit unions due to their cooperative, less competitive nature. (less competitive with each other, that is.) My experience is that most credit unions have IT departments that can be counted on one hand, and no security-oriented individuals on staff at all. (IT or otherwise) In fact, there are many credit unions whose ENTIRE staff can be counted on one hand. Not long before I left, we absorbed a failed credit union's assets and member base at the NCUA's request. This particular example's infrastructure consisted of three desktop computers and an Access database. Credit unions make great financial sense but only the largest ones have the kind of IT and security resources most of us associate with a bank.

  4. Re:I actually saw one of these.... by SixGunMojo · · Score: 1, Interesting

    A few caveats on this post
    1. I belong to a credit union
    2. I do not believe in name calling in posts
    3. I am about to violate caveat #2 like a bitch

    YOU STUPID IGNORANT LUDDITE MOTHERFUCKER
    Your whole premise is wrong, credit unions are not non-profits they are not-for-profits. Non-profits don't operate for money, not-for-profits operate to make enough money to pay for their services and distribute that money among its (as far as credit unions are concerned) members and employees . This is how that pretty teller gets paid and why the interest on my loans is higher than the interest I earn on my savings account. As far as your claim of executive compensation, show us some facts. If the guy running my credit union is well compensated I have no problem with that. I am pretty sure he is not making millions and getting share options as I read the newspaper down here and they have an annual richest business ranking and I'm pretty sure he's never been on it. As far as your claims about nepotism in non-profits, once again show me the facts, but if I am forming one, its going to probably start out small and the people I'm going to be looking to are family and friends.

  5. Re:I actually saw one of these.... by Shakrai · · Score: 4, Interesting

    Problem is: It's still a loan. With a rate. It's still ethically unacceptable, because there is always at least one of those who get one, who will not be able to pay it back.

    Dude, put the bong down and back away slowly ;) Or at least share it with the rest of us.

    I invest only in real physical things that raise in value. Gold was an excellent thing to invest in, in the last years. Because as in every "recession", it's only a recession, if you are in their game, playing it, and things like gold and silver rise like crazy, giving you huge (relative) profits

    I took Mr. Buffets advice to heart (buy when everyone else is selling, sell when everyone else is buying) and started buying stocks as the markets tanked. So far I'm up ~41% overall. Only one of my picks (TIE if you are wondering and I'm only down 6% on it) is in the red. Made my first buys in November of 08. My annual yield works out to ~64% Have your gold investments matched or beaten this performance?

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  6. Re:Pen testers by evilandi · · Score: 2, Interesting

    Barclays Bank in the UK got bad news coverage a few years ago for refusing to lend a pen to a customer. To counteract this bad coverage, they got rid of all the pens-on-a-chain and now have disposable ballpen dispensers throughout their branches. You can just walk in off the street and help yourself to a pen, no questions asked. I must have a dozen by now. They have amusing mottos down the side such as "Steal me" or "Bank swag".

    And they write pretty well.

    http://www1.banner-online.biz/whybanner/barclaysbank_175.html
    http://images.onesite.com/my.telegraph.co.uk/user/bent_society/20080206111643.jpg

    --
    Andrew Oakley - www.aoakley.com