Simple, low-tech attack on Credit Unions


The National Credit Union Administration is warning all Credit Unions about malicious hackers and a low tech attack by mailing branches CDs with malware on them.

Using a somewhat dated but still effective Social Engineering attack, a package designed to look as though it was mailed by the NCUA is sent to the branch. The package contains CDs with the attacker’s malware on it, and an accompanying letter (PDF) which informs the branches, ironically, about phishing scams. The letter directs the personnel to review the “training material” on the enclosed CD. Once branch employees proceed as directed, the malware is executed and gives the attackers access to the branch computer systems. Credit Unions seem to be targeted because they tend to be smaller local associations rather then larger banks with higher budgets for computer security.

When people think computer security, they usually envision high tech systems comprising of long passwords, expensive hardware, and updating software with the latest security patches. However, as famed social engineer and hacker Kevin Mitnick once said, “There is no patch for stupidity”.

[via threat post]


  1. Jack says:

    I think a simple low tech attack would be a gun. Or a knife. all depending. Maybe if the cd’s were distributed by an arduino controlled system or something it would be much more impressive. Definitely needs more arduinos though.

  2. novastar says:

    I concur, The least they could do is put the instructions on an arduino with a lcd screen.
    And instead of a cd, an arduino with a usb cord that will install the malware.

    Not to mention the arduino controlled labeling machine.

    Im sure they could find a few more ways to add arduinos to the batch.

  3. djrussell says:

    lol @ no patch for stupid. :)

  4. drew says:

    no patch for arduinos

  5. incognito53 says:

    or as ron white would say, you can’t fix stupid.

  6. dingus says:

    I was the first one who thought they should have used arduinos!

  7. 4chan says:

    so does the malware work on arduino

  8. cyanide says:

    i invented the arduino

  9. Frank says:


  10. Spliff666 says:

    This was later noted to be a sanctioned Pen Test, though its nice to see how the company reacted to it.

  11. Ib Krabbenhøft says:

    The article does not mention to what extend the attack depended on autoplay or on executing the “training program”.

    I always recommend turning OFF autoplay when I have a machine at hand.

  12. Tachikoma says:

    ^ an arduino will fix that

  13. Ruso says:

    Who is better an arduino o a Terminator?

  14. DarwinSurvivor says:

    Let me guess, when they pop in the CD it says “Do put unverified cds into company computers.”

    My question is why the hell do the computers hooked up to the bank’s accounting system even HAVE cd roms for?!? Sounds like a fail at the IT level to me…

  15. enufalready says:

    infected PCs must tweet once successfully infected. design fail.

  16. Wwhat says:

    Any bank that has autorun enabled on any computer in the building should be closed down, all the people fired on the spot and blacklisted to not work in any such organization for 10 years.
    At the minimum.
    Might seem tough but come on it’s 2009 and you simply cannot let such a thing happen and brush it off.

  17. Estate Taxes says:

    I agree that there’s no patch for stupidity. We just need to be more careful so we are not the one who will face the consequences.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,382 other followers