The National Credit Union Administration has issued a Fraud Alert to its member credit unions, warning against a new malware attack targeting them. The attack is carried out by mailing the target credit union a bogus “Fraud Alert”, and enclosing two CDs that supposedly contain training materials to help defend against the fictional threat. The CDs contain malware to subvert the target’s systems:
The subject of the fraudulent letter itself is a purported NCUA FRAUD Alert. The letter advises credit unions to review training material (contained on the CDs). DOING SO COULD RESULT IN A POSSIBLE SECURITY BREACH TO YOUR COMPUTER SYSTEM, OR HAVE OTHER ADVERSE CONSEQUENCES.
This, along with the attacks against small- and medium-sized businesses that I discussed in my last post, is probably indicative of the steadily growing involvement of organized crime in computer-based fraud. Unlike the scatter-gun tactics of early computer viruses, these attacks are targeted, and aimed at stealing money. Credit unions are probabbly being targeted because they, on average, are probably less sophisticated about security matters.
If your business or organization receives unsolicited material on CDs or other media, the same advice applies as in the early days of floppy-disk-borne viruses. Do NOT open the media, unless it has first been checked for malware. The best way to do this, particularly if you need to receive media from external sources, is to use a dedicated machine, not connected to the network, for the scanning. You might even consider running Linux or one of the BSDs as the OS, and running Windows, if necessary, in a virtual machine.
Update, Thursday, 27 August, 16:17
The SANS Internet Storm Center is now reporting that this incident was not an actual attack, but an authorized security test. As they note, though, good security practices are still called for.