The National Credit Union Administration is warning all Credit Unions about malicious hackers and a low tech attack by mailing branches CDs with malware on them.
Using a somewhat dated but still effective Social Engineering attack, a package designed to look as though it was mailed by the NCUA is sent to the branch. The package contains CDs with the attacker’s malware on it, and an accompanying letter (PDF) which informs the branches, ironically, about phishing scams. The letter directs the personnel to review the “training material” on the enclosed CD. Once branch employees proceed as directed, the malware is executed and gives the attackers access to the branch computer systems. Credit Unions seem to be targeted because they tend to be smaller local associations rather then larger banks with higher budgets for computer security.
When people think computer security, they usually envision high tech systems comprising of long passwords, expensive hardware, and updating software with the latest security patches. However, as famed social engineer and hacker Kevin Mitnick once said, “There is no patch for stupidity”.
[via threat post]
I think a simple low tech attack would be a gun. Or a knife. all depending. Maybe if the cd’s were distributed by an arduino controlled system or something it would be much more impressive. Definitely needs more arduinos though.
I concur, The least they could do is put the instructions on an arduino with a lcd screen.
And instead of a cd, an arduino with a usb cord that will install the malware.
Not to mention the arduino controlled labeling machine.
Im sure they could find a few more ways to add arduinos to the batch.
lol @ no patch for stupid. :)
no patch for arduinos
or as ron white would say, you can’t fix stupid.
I was the first one who thought they should have used arduinos!
so does the malware work on arduino
i invented the arduino
DILDUINOS ARE THE SRC OF LIFE
This was later noted to be a sanctioned Pen Test, though its nice to see how the company reacted to it.
The article does not mention to what extend the attack depended on autoplay or on executing the “training program”.
I always recommend turning OFF autoplay when I have a machine at hand.
^ an arduino will fix that
Who is better an arduino o a Terminator?
Let me guess, when they pop in the CD it says “Do put unverified cds into company computers.”
My question is why the hell do the computers hooked up to the bank’s accounting system even HAVE cd roms for?!? Sounds like a fail at the IT level to me…
infected PCs must tweet once successfully infected. design fail.
Any bank that has autorun enabled on any computer in the building should be closed down, all the people fired on the spot and blacklisted to not work in any such organization for 10 years.
At the minimum.
Might seem tough but come on it’s 2009 and you simply cannot let such a thing happen and brush it off.
I agree that there’s no patch for stupidity. We just need to be more careful so we are not the one who will face the consequences.