Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD

Posted by timothy on from the please-avoid-mine dept.

redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.

43 of 205 comments (clear)

  1. I actually saw one of these.... by Shakrai · · Score: 5, Informative

    One of my consulting clients is a small (<$10,000,000 in assets) credit union. The disk was mailed directly to the CEO. According to him the letter contained therein actually resembled the form and structure of NCUA correspondence but had grammatical errors. I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

    Thankfully he knew better than to load random CDs received in the mail and gave me a call. The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously. I hope they catch the bastards. Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
    1. Re:I actually saw one of these.... by CannonballHead · · Score: 5, Funny

      Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

      We're on Slashdot. At least insult them properly: they probably use Windows.

    2. Re:I actually saw one of these.... by shentino · · Score: 5, Funny

      Actually, mimicking government incompetence is a necessary step to enhancing its value as a forgery.

    3. Re:I actually saw one of these.... by Shakrai · · Score: 5, Interesting

      The backend software package used by this particular credit union actually runs on Linux and Oracle. All but one of the workstations run Linux too. The holdout is a Windows 2000 machine that they keep around for some legacy software that they haven't been able to replace. The tellers don't even realize it's Linux because they are locked into the interface for the management system and can't navigate out of it. The loan officers can navigate out of it but the only other applications they have access to are Open Office and a handful of white-listed websites (webmail, credit scoring and a few compliance sites).

      That's actually how I got the gig -- I was the only local person who responded to the CEOs bid who had a meaningful amount of Linux experience. He inherited the platform from his predecessor and wasn't inclined to spend the money to migrate to something else. AFAIK the vendor for his software doesn't even offer a Windows server option, although they do have a Windows option for the clients. They had previously used this option until I showed them how much they were spending on software licenses.

      I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    4. Re:I actually saw one of these.... by Shakrai · · Score: 5, Informative

      Umm, do you know what the definition of a credit union is? It's a member-owned cooperative financial institution. It's not a "debt institution". They loan money at extremely competitive rates and have no direct profit incentive other than the goal of paying a competitive dividend (interest) on their members deposits.

      Go find one in your local area. Most of them are much more pleasurable to do business with than any bank. Community banks occasionally match them for customer service but no national bank ever will. I've yet to have one of my calls to my credit union answered in India or to have the interest rate on my credit card jacked up just because they can.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    5. Re:I actually saw one of these.... by fuzzyfuzzyfungus · · Score: 5, Informative

      I agree with the general sentiment; but I think the story a few days back about the FBI picking up that quant accused of stealing code(or heck, our exciting bailouts and pretty much anything the federal reserve does) was a better example.

      From the Secret Service website:

      "1984 Congress enacted legislation making the fraudulent use of credit and debit cards a federal violation. The law also authorized the Secret Service to investigate violations relating to credit and debit card fraud, federal-interest computer fraud, and fraudulent identification documents."

      "2001 The Patriot Act (Public Law 107-56) increased the Secret Service's role in investigating fraud and related activity in connections with computers. In addition it authorized the Director of the Secret Service to establish nationwide electronic crimes taskforces to assist the law enforcement, private sector and academia in detecting and suppressing computer-based crime; increased the statutory penalties for the manufacturing, possession, dealing and passing of counterfeit U.S. or foreign obligations; and allowed enforcement action to be taken to protect our financial payment systems while combating transnational financial crimes directed by terrorists or other criminals. "

      Having the secret service investigate a cracking attempt at a bank is about as natural as having the local cops investigate a burglary. These guys are, in essence, the counterfeit currency and bank haxx0ring police, the protecting the president gig is just a flashy sideline. The fact that we have a dedicated counterfeit currency and bank haxx0ring police force does indeed say something about our priorities; but the fact that a police force does exactly what it was set up to do isn't much of a demonstration in itself.

    6. Re:I actually saw one of these.... by dltaylor · · Score: 2, Insightful

      home-brew apps or off-the-shelf package?

      if OTS, whose is it?

    7. Re:I actually saw one of these.... by Shakrai · · Score: 5, Interesting

      That really depends on the credit union and how they conduct their business. I just bought a bunch of 10 month CDs from my credit union at 2.75% They run a promotion every year offering a "special" CD rate and it's always been extremely competitive. I couldn't even match this particular offer at the online only banks like ING Direct.

      Their standard rates are competitive with the other local brick and mortar institutions. They might get beaten by a few of the big boys and the online-only institutions but the flip side to that is that none of those institutions can even come close to the loan rates offered by my credit union.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    8. Re:I actually saw one of these.... by Mozk · · Score: 5, Funny

      I just bought a bunch of 10 month CDs from my credit union

      Doesn't AOL give out 10-month CDs for free?

      --
      No existe.
    9. Re:I actually saw one of these.... by lysergic.acid · · Score: 2, Informative

      Yea, I think more people would bank at credit unions if they knew about them. I'd never heard of a credit union myself until I went to college (in Urbana-Champaign, IL of all places). Actually, I thought that "credit union" was just the name of a popular banking chain in the Midwest, like Wells Fargo or Bank of America or something. It wasn't until my roommate explained to me what a credit unit was that I actually learned what they were.

      Frankly, I'm kinda surprised that the Midwest has so many power co-ops and credit union while the part of Southern California I live in has neither. Maybe the poorer communities here have never heard of them or don't have the resources to set them up, while the rich communities just don't care for that sort of cooperative community organization (I suppose stocks, private equities, and off-shore bank accounts pay better).

      Next we just need to extend the idea of credit unions & power co-ops to telecommunications, so we'll finally have decent broadband and mobile phone service that doesn't screw over consumers.

    10. Re:I actually saw one of these.... by Shakrai · · Score: 4, Interesting

      Problem is: It's still a loan. With a rate. It's still ethically unacceptable, because there is always at least one of those who get one, who will not be able to pay it back.

      Dude, put the bong down and back away slowly ;) Or at least share it with the rest of us.

      I invest only in real physical things that raise in value. Gold was an excellent thing to invest in, in the last years. Because as in every "recession", it's only a recession, if you are in their game, playing it, and things like gold and silver rise like crazy, giving you huge (relative) profits

      I took Mr. Buffets advice to heart (buy when everyone else is selling, sell when everyone else is buying) and started buying stocks as the markets tanked. So far I'm up ~41% overall. Only one of my picks (TIE if you are wondering and I'm only down 6% on it) is in the red. Made my first buys in November of 08. My annual yield works out to ~64% Have your gold investments matched or beaten this performance?

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    11. Re:I actually saw one of these.... by SL+Baur · · Score: 2, Insightful

      I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

      I find it amusing that someone could be found to code up an auto execute function for inserted media. I find it even more amusing that there was a stupid enough manager to sign off on it.

      Was Dilbert written at Microsoft?

    12. Re:I actually saw one of these.... by Sycraft-fu · · Score: 2, Informative

      In fact the only reason that they do protect the president is back when the issue came up, they were it for federal law enforcement. When congress wanted protection for the president (when McKinley was assassinated) they were pretty much the only choice. There was no FBI, the US Marshals didn't have the man power, and the US Postal Inspectors were just for the post office.

      Perhaps they should have created a specific police force for presidential protection, but they didn't.

      However, just because the USSS had a new job, didn't mean they stopped doing their old jobs. They were still tasked with protecting the nation's money, they just had another job to do now as well.

    13. Re:I actually saw one of these.... by TheCabal · · Score: 4, Informative

      Secret Service was originally part of the Department of Treasury. Now part of DHS, they still have jurisdiction over counterfeiting and fraud investigations and share jurisdiction with the FBI on some areas such as computer crime. It's well within their baliwick.

    14. Re:I actually saw one of these.... by maxume · · Score: 2, Insightful

      If you think interest is unethical, you shouldn't be willing to use government backed currency, as governments often create or destroy money without doing anything to tie that activity to anything real.

      (Interest works because the debtor is exchanging future consumption for present day consumption, presumably to their own advantage)

      --
      Nerd rage is the funniest rage.
    15. Re:I actually saw one of these.... by Lord+Ender · · Score: 2, Informative

      Actually, I know the guys at the company who ran this test. They are definitely a Linux shop. MSI is a do-anything security company that will dig through your trash to test your shredder discipline, send phishing messages to your company to test your employee information security training, and try and sneak into your datacenter to test your security guards, as well as the normal vulnerability scanning type stuff.

      The outrage over this is pretty funny, because the company behind it was under contract from the organizations which were mailed. What a great big bag of lulz.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  2. Training by sexconker · · Score: 4, Funny

    Did the penetration testing "training" CDs at least provide a helpful "Lesson Number 1: Never do what you just did." video?

    1. Re:Training by svtdragon · · Score: 2, Funny

      Really, I think this is just a massive cover-up for what happened when they found a copy of "Penetration Training 14" on the CEO's desk, and a bottle of hand lotion in the drawer.

  3. Windows Autorun by Anonymous Coward · · Score: 3, Insightful

    The problem here is Windows Autorun. As soon as you insert a CD, Windows checks for the presence of an "autorun.inf" file, and if it exists, it can specify a binary program on the disc to execute immediately, as whatever user is currently logged in. Thus, killing your security immediately.

    1. Re:Windows Autorun by sexconker · · Score: 4, Informative

      Easily disabled or dismissed.

      The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".

    2. Re:Windows Autorun by 0123456 · · Score: 4, Insightful

      Easily disabled or dismissed.

      Uh, no; there are so many different places where autorun is configured in Windows that the average clueless user has no hope of managing to completely disable it. The whole thing is a disaster.

    3. Re:Windows Autorun by iYk6 · · Score: 3, Informative

      Easily disabled

      Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.

      or dismissed.

      For some versions of Windows, yes. For the most popular version in credit unions (based on my limited anecdotal experience) "dismissing" is not an option. Windows 2K just runs whatever the CD tells it to.

      The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".

      Users will do silly things, but that is no reason to just give up on security and make an OS insecure by default.

    4. Re:Windows Autorun by Vancorps · · Score: 5, Informative

      ummm... there is one place to disable autorun on removable media although there are multiple methods available for accomplishing this task. Are you referring to auto-execution of other vectors? Like emails? Here's a reference for you to help you out. Windows XP or above you just modify it in the local security policy and you're done. Of course with Vista and Win7 they ask you if you want to run autorun so you don't really have to do anything.

    5. Re:Windows Autorun by TheCabal · · Score: 2, Insightful

      Any financial institution that deploys a "bare metal" installation of ANY OS without any hardening, be it Windows, Linux or whatever, shouldn't be handling the public's money to begin with and needs to be slapped severely about the face and ears. I wouldn't deploy a stock install of Linux either without spending time hardening it. Anyone who thinks Linux is "Secure by default" has drunk a little too much of the Kool-Aid. Believe me when I say that Windows can be hardened to a point where it is rather difficult to break, and the amount of effort is no more than it takes to harden a Linux distro to a nice standard.

      Autorun in a corporate environment? Disabled across the entire network with just a few clicks and refresh of Group Policy.

    6. Re:Windows Autorun by LeperPuppet · · Score: 3, Funny

      While we're making it simple, why don't we just open up all the keyboards on site and solder the shift key connectors permanently closed? No autorun all the time and anyone who doesn't know about holding down the shift key won't have to learn. It's a perfect solution.

  4. Another scam by Orion+Blastar · · Score: 3, Insightful

    like those Emails from Microsoft with attachments that say they are operating system patches you must install to prevent a virus.

    Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.

    The attached files usually have malware in them.

    Microsoft does updates via Windows Update or Microsoft Update or via their web site in downloading patches, they never attach the patches to email.

    I also get mail saying I won the UK Microsoft lottery and other BS as well. I am keeping a "Scams" folder for that sort of stuff.

    I'd expect Credit Unions to have better sense than to run random CDs on their systems without verifying that the NCUA sent them. "What? We didn't send them to you."

    --
    Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
    1. Re:Another scam by Kozz · · Score: 5, Funny

      Yep, trivial.

      Years back (about 1995 or so) I configured my MTA to provide "president@whitehouse.gov" as the "From" address when I sent an obvious prank to a co-worker. He replied (!) cussing me out and joking, "I'm going to kill you". You can imagine he quickly realized what he'd done and sent another email explaining himself. Who knows if he managed to get himself on an FBI watchlist or not. ;)

      --
      I only post comments when someone on the internet is wrong.
    2. Re:Another scam by nihongomanabu · · Score: 2, Funny

      A friend of mine in university got in a bit of trouble when he spoofed the reply address in a joke email. The IT dept wasn't happy they had to explain to a student that they didn't really get an email from god@heaven.com.

  5. Expect this more in the future by improfane · · Score: 2, Insightful

    Expect malware to appear or be in the wild already on/in:

    • pirated DVDs, the ones with dual film and PC content, like the Pokemon DVDs
    • more flash drives
    • mp3 players, iPods (using hard drive mode)
    • Music CDs, the ones with dual PC and audio player content
    • Facebook applications
    • second hand routers (Linux routers)
    • second hand laptops and computers
    • more flash drives
    • Windows install CDs
    • FireFox plugins
    • web development templates
    • Packages (deb, rpm whatever), makefiles etc
    • PDF files

    The more I use my laptop, the more I wish to install a hypervisor on the BIOS (preferably based on Linux CoreBOOT or something) and use it to track my laptop and profit from it if it gets stolen.

    Hey if someone steals my laptop, sit and cry?

    --
    Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
    1. Re:Expect this more in the future by rtb61 · · Score: 2, Insightful

      At the current price why would anyone bother with second hand routers, switches etc. They would do it with new gear, redo the factory default in a chip programmer and, then offer them at a discount, in the thousands. Especially with countries deeming it appropriate to become involved in large scale computer hacking as intelligence operations and, for the inevitable rogue agents and contractors, a future 'route' to profits.

      --
      Chaos - everything, everywhere, everywhen
  6. Re:Mailing is to customers by Orion+Blastar · · Score: 2, Informative

    Actually Credit Union customers get "Phising" emails that pretend to be from the Credit Union and goes to a fake web site that looks like the Credit Union but steals their password, user ID, account number, etc.

    This happened to a friend of mine, and he phoned it in and the Credit Union asked him to come into their nearest branch and present ID and get his account changed to verify who he is, only the Credit Union near him closed down and he didn't know it and the next one was 100 miles away. He had to drive that far to resolve the problem and eventually switched to a different Credit Unions. It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.

    --
    Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
  7. Re:Hackers can be pen testers by rafemonkey · · Score: 5, Insightful

    Man I hear ya... It's just like all those fools calling that box on the desk a computer, when we all know a computer is actually a person who performs computations. Anyway, I gotta jump into the old horseless carriage for a spot of motoring. ;)

  8. Re:Hackers can be pen testers by Faylone · · Score: 4, Insightful

    I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?

    Considering that language is just a bunch of grunts(spoken) or squiggles(written) with agreed upon meanings...yes. As long as the meaning the speaker intended is imparted to the listener, they served their purpose.

  9. Re:Mailing is to customers by Shakrai · · Score: 3, Informative

    It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.

    Where are you getting your information from? There's been a handful of credit unions that have failed but taken as a whole they've failed at a significantly lower rate than the banks. This is actually a boom time for credit unions and local community banks because the big boys are cutting back and people are looking for an alternative. The big players are closing accounts, jacking up interest rates and imposing all sorts of new fees. The credit unions are humming along with the same business model they've had for the last few decades: Slow sustained growth backed by proper lending standards and an emphasis on member service

    Go through the NCUA/FDIC data some time and compare the percentage of "well capitalized" credit unions to the percentage of similarly capitalized banks. I think you'll find that credit unions are doing just fine.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  10. Bad name for pen-testing by twistah · · Score: 4, Informative

    Aside from the usual gripes about the efficacy of pen-testing, this gives pen-testing a bad name. The firm I work for does this exact same ploy, and so do teams from the Big 4 and various security firms, but they are always planned ahead of time. You have to do this sort of thing in a controlled manner (or as controlled as possible.) Usually, these things are dropped in a parking lot, the the payload is innocous, because a customer (or member in the case of a CU) can pick it up. These guys exposed themselves to a lot of liability and can screw it up for honest hardworking sellout hackers such myself and others.

  11. Re:Hackers can be pen testers by maxume · · Score: 2, Informative

    No, the descriptivists are right. Probably even in France.

    If nearly every language had not changed drastically over time, there might at least be an interesting conversation there, but alas.

    --
    Nerd rage is the funniest rage.
  12. Wait, I've heard this one before. by rayd75 · · Score: 5, Interesting

    In fact, I've used it. Until last year I worked for a credit union and frequently described a scenario almost exactly like this to justify things like a least-privilege security model for end users. It's scary to consider what an attacker might be able to accomplish with a scheme like this. The article only touches the surface in pointing out that credit unions are typically smaller than banks and lack security resources. Mine was one of the largest and probably the most technologically progressive credit union in my state but I had a lot of interaction with smaller credit unions due to their cooperative, less competitive nature. (less competitive with each other, that is.) My experience is that most credit unions have IT departments that can be counted on one hand, and no security-oriented individuals on staff at all. (IT or otherwise) In fact, there are many credit unions whose ENTIRE staff can be counted on one hand. Not long before I left, we absorbed a failed credit union's assets and member base at the NCUA's request. This particular example's infrastructure consisted of three desktop computers and an Access database. Credit unions make great financial sense but only the largest ones have the kind of IT and security resources most of us associate with a bank.

    1. Re:Wait, I've heard this one before. by John+Hasler · · Score: 3, Funny

      > Credit unions make great financial sense but only the largest ones have the
      > kind of IT and security resources most of us associate with a bank.

      Considering what the banks accomplish with those resources, I'll take the credit unions.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  13. Pen testers by Anonymous Coward · · Score: 2, Funny

    I'm in favor of it; I think that banks really need pen testers.

    Their pens usually are broken off of those little chain things, and when you do find one that's still attached, it doesn't write.

    1. Re:Pen testers by evilandi · · Score: 2, Interesting

      Barclays Bank in the UK got bad news coverage a few years ago for refusing to lend a pen to a customer. To counteract this bad coverage, they got rid of all the pens-on-a-chain and now have disposable ballpen dispensers throughout their branches. You can just walk in off the street and help yourself to a pen, no questions asked. I must have a dozen by now. They have amusing mottos down the side such as "Steal me" or "Bank swag".

      And they write pretty well.

      http://www1.banner-online.biz/whybanner/barclaysbank_175.html
      http://images.onesite.com/my.telegraph.co.uk/user/bent_society/20080206111643.jpg

      --
      Andrew Oakley - www.aoakley.com
  14. Re:Mailing is to customers by Anonymous Coward · · Score: 2, Funny

    This bout of reasonable discourse brought to you by: Slashdot

    Shoes for Turds, Stuff that Splatters.

  15. Don't bother man by Sycraft-fu · · Score: 2, Insightful

    The GP is just one of many "Banks are evil!" types online. You aren't going to convince them otherwise. They have little understanding of finance and less of banking. Also the reason he's whining is because the USSS was involved. He also doesn't understand that they are responsible for this kind of crime, he thinks the president ordered them on the case because banks are special.

    I've debated with the "Use only cash, banks are evil, we need the gold standard!" types and there is just no reasoning with them. You are completely correct about the differences with a credit union, but you aren't going to convince him of it. They are a "bank" and banks are evil and so on.

  16. Re:Where are the jokes? by MadKeithV · · Score: 2, Funny

    No-one on slashdot has the necessary experience to make penetration jokes.