Simple, Low-tech Attack On Credit Unions


The National Credit Union Administration is warning all Credit Unions about malicious hackers and a low tech attack by mailing branches CDs with malware on them.

Using a somewhat dated but still effective Social Engineering attack, a package designed to look as though it was mailed by the NCUA is sent to the branch. The package contains CDs with the attacker’s malware on it, and an accompanying letter (PDF) which informs the branches, ironically, about phishing scams. The letter directs the personnel to review the “training material” on the enclosed CD. Once branch employees proceed as directed, the malware is executed and gives the attackers access to the branch computer systems. Credit Unions seem to be targeted because they tend to be smaller local associations rather then larger banks with higher budgets for computer security.

When people think computer security, they usually envision high tech systems comprising of long passwords, expensive hardware, and updating software with the latest security patches. However, as famed social engineer and hacker Kevin Mitnick once said, “There is no patch for stupidity”.

[via threat post]

17 thoughts on “Simple, Low-tech Attack On Credit Unions

  1. I think a simple low tech attack would be a gun. Or a knife. all depending. Maybe if the cd’s were distributed by an arduino controlled system or something it would be much more impressive. Definitely needs more arduinos though.

  2. I concur, The least they could do is put the instructions on an arduino with a lcd screen.
    And instead of a cd, an arduino with a usb cord that will install the malware.

    Not to mention the arduino controlled labeling machine.

    Im sure they could find a few more ways to add arduinos to the batch.

  3. The article does not mention to what extend the attack depended on autoplay or on executing the “training program”.

    I always recommend turning OFF autoplay when I have a machine at hand.

  4. Let me guess, when they pop in the CD it says “Do put unverified cds into company computers.”

    My question is why the hell do the computers hooked up to the bank’s accounting system even HAVE cd roms for?!? Sounds like a fail at the IT level to me…

  5. Any bank that has autorun enabled on any computer in the building should be closed down, all the people fired on the spot and blacklisted to not work in any such organization for 10 years.
    At the minimum.
    Might seem tough but come on it’s 2009 and you simply cannot let such a thing happen and brush it off.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.