Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD

Posted by timothy on from the please-avoid-mine dept.

redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.

12 of 205 comments (clear)

  1. I actually saw one of these.... by Shakrai · · Score: 5, Informative

    One of my consulting clients is a small (<$10,000,000 in assets) credit union. The disk was mailed directly to the CEO. According to him the letter contained therein actually resembled the form and structure of NCUA correspondence but had grammatical errors. I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

    Thankfully he knew better than to load random CDs received in the mail and gave me a call. The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously. I hope they catch the bastards. Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
    1. Re:I actually saw one of these.... by CannonballHead · · Score: 5, Funny

      Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

      We're on Slashdot. At least insult them properly: they probably use Windows.

    2. Re:I actually saw one of these.... by shentino · · Score: 5, Funny

      Actually, mimicking government incompetence is a necessary step to enhancing its value as a forgery.

    3. Re:I actually saw one of these.... by Shakrai · · Score: 5, Interesting

      The backend software package used by this particular credit union actually runs on Linux and Oracle. All but one of the workstations run Linux too. The holdout is a Windows 2000 machine that they keep around for some legacy software that they haven't been able to replace. The tellers don't even realize it's Linux because they are locked into the interface for the management system and can't navigate out of it. The loan officers can navigate out of it but the only other applications they have access to are Open Office and a handful of white-listed websites (webmail, credit scoring and a few compliance sites).

      That's actually how I got the gig -- I was the only local person who responded to the CEOs bid who had a meaningful amount of Linux experience. He inherited the platform from his predecessor and wasn't inclined to spend the money to migrate to something else. AFAIK the vendor for his software doesn't even offer a Windows server option, although they do have a Windows option for the clients. They had previously used this option until I showed them how much they were spending on software licenses.

      I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    4. Re:I actually saw one of these.... by Shakrai · · Score: 5, Informative

      Umm, do you know what the definition of a credit union is? It's a member-owned cooperative financial institution. It's not a "debt institution". They loan money at extremely competitive rates and have no direct profit incentive other than the goal of paying a competitive dividend (interest) on their members deposits.

      Go find one in your local area. Most of them are much more pleasurable to do business with than any bank. Community banks occasionally match them for customer service but no national bank ever will. I've yet to have one of my calls to my credit union answered in India or to have the interest rate on my credit card jacked up just because they can.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    5. Re:I actually saw one of these.... by fuzzyfuzzyfungus · · Score: 5, Informative

      I agree with the general sentiment; but I think the story a few days back about the FBI picking up that quant accused of stealing code(or heck, our exciting bailouts and pretty much anything the federal reserve does) was a better example.

      From the Secret Service website:

      "1984 Congress enacted legislation making the fraudulent use of credit and debit cards a federal violation. The law also authorized the Secret Service to investigate violations relating to credit and debit card fraud, federal-interest computer fraud, and fraudulent identification documents."

      "2001 The Patriot Act (Public Law 107-56) increased the Secret Service's role in investigating fraud and related activity in connections with computers. In addition it authorized the Director of the Secret Service to establish nationwide electronic crimes taskforces to assist the law enforcement, private sector and academia in detecting and suppressing computer-based crime; increased the statutory penalties for the manufacturing, possession, dealing and passing of counterfeit U.S. or foreign obligations; and allowed enforcement action to be taken to protect our financial payment systems while combating transnational financial crimes directed by terrorists or other criminals. "

      Having the secret service investigate a cracking attempt at a bank is about as natural as having the local cops investigate a burglary. These guys are, in essence, the counterfeit currency and bank haxx0ring police, the protecting the president gig is just a flashy sideline. The fact that we have a dedicated counterfeit currency and bank haxx0ring police force does indeed say something about our priorities; but the fact that a police force does exactly what it was set up to do isn't much of a demonstration in itself.

    6. Re:I actually saw one of these.... by Shakrai · · Score: 5, Interesting

      That really depends on the credit union and how they conduct their business. I just bought a bunch of 10 month CDs from my credit union at 2.75% They run a promotion every year offering a "special" CD rate and it's always been extremely competitive. I couldn't even match this particular offer at the online only banks like ING Direct.

      Their standard rates are competitive with the other local brick and mortar institutions. They might get beaten by a few of the big boys and the online-only institutions but the flip side to that is that none of those institutions can even come close to the loan rates offered by my credit union.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    7. Re:I actually saw one of these.... by Mozk · · Score: 5, Funny

      I just bought a bunch of 10 month CDs from my credit union

      Doesn't AOL give out 10-month CDs for free?

      --
      No existe.
  2. Re:Hackers can be pen testers by rafemonkey · · Score: 5, Insightful

    Man I hear ya... It's just like all those fools calling that box on the desk a computer, when we all know a computer is actually a person who performs computations. Anyway, I gotta jump into the old horseless carriage for a spot of motoring. ;)

  3. Re:Windows Autorun by Vancorps · · Score: 5, Informative

    ummm... there is one place to disable autorun on removable media although there are multiple methods available for accomplishing this task. Are you referring to auto-execution of other vectors? Like emails? Here's a reference for you to help you out. Windows XP or above you just modify it in the local security policy and you're done. Of course with Vista and Win7 they ask you if you want to run autorun so you don't really have to do anything.

  4. Wait, I've heard this one before. by rayd75 · · Score: 5, Interesting

    In fact, I've used it. Until last year I worked for a credit union and frequently described a scenario almost exactly like this to justify things like a least-privilege security model for end users. It's scary to consider what an attacker might be able to accomplish with a scheme like this. The article only touches the surface in pointing out that credit unions are typically smaller than banks and lack security resources. Mine was one of the largest and probably the most technologically progressive credit union in my state but I had a lot of interaction with smaller credit unions due to their cooperative, less competitive nature. (less competitive with each other, that is.) My experience is that most credit unions have IT departments that can be counted on one hand, and no security-oriented individuals on staff at all. (IT or otherwise) In fact, there are many credit unions whose ENTIRE staff can be counted on one hand. Not long before I left, we absorbed a failed credit union's assets and member base at the NCUA's request. This particular example's infrastructure consisted of three desktop computers and an Access database. Credit unions make great financial sense but only the largest ones have the kind of IT and security resources most of us associate with a bank.

  5. Re:Another scam by Kozz · · Score: 5, Funny

    Yep, trivial.

    Years back (about 1995 or so) I configured my MTA to provide "president@whitehouse.gov" as the "From" address when I sent an obvious prank to a co-worker. He replied (!) cussing me out and joking, "I'm going to kill you". You can imagine he quickly realized what he'd done and sent another email explaining himself. Who knows if he managed to get himself on an FBI watchlist or not. ;)

    --
    I only post comments when someone on the internet is wrong.