Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD

redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.

Training

[sexconker]

Did the penetration testing "training" CDs at least provide a helpful "Lesson Number 1: Never do what you just did." video?

Re:I actually saw one of these....

[CannonballHead]

Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

We're on Slashdot. At least insult them properly: they probably use Windows.

Re:I actually saw one of these....

[shentino]

Actually, mimicking government incompetence is a necessary step to enhancing its value as a forgery.

Re:I actually saw one of these....

[Mozk]

I just bought a bunch of 10 month CDs from my credit union

Doesn't AOL give out 10-month CDs for free?

Re:Another scam

[Kozz]

Yep, trivial.

Years back (about 1995 or so) I configured my MTA to provide "president@whitehouse.gov" as the "From" address when I sent an obvious prank to a co-worker. He replied (!) cussing me out and joking, "I'm going to kill you". You can imagine he quickly realized what he'd done and sent another email explaining himself. Who knows if he managed to get himself on an FBI watchlist or not. ;)

Re:Wait, I've heard this one before.

[John Hasler]

> Credit unions make great financial sense but only the largest ones have the
> kind of IT and security resources most of us associate with a bank.

Considering what the banks accomplish with those resources, I'll take the credit unions.

Pen testers

[Anonymous Coward]

I'm in favor of it; I think that banks really need pen testers.

Their pens usually are broken off of those little chain things, and when you do find one that's still attached, it doesn't write.

Re:Another scam

[nihongomanabu]

A friend of mine in university got in a bit of trouble when he spoofed the reply address in a joke email. The IT dept wasn't happy they had to explain to a student that they didn't really get an email from god@heaven.com.

Re:Mailing is to customers

[Anonymous Coward]

This bout of reasonable discourse brought to you by: Slashdot

Shoes for Turds, Stuff that Splatters.

Re:Windows Autorun

[LeperPuppet]

While we're making it simple, why don't we just open up all the keyboards on site and solder the shift key connectors permanently closed? No autorun all the time and anyone who doesn't know about holding down the shift key won't have to learn. It's a perfect solution.

Re:Where are the jokes?

[MadKeithV]

No-one on slashdot has the necessary experience to make penetration jokes.

Re:Training

[svtdragon]

Really, I think this is just a massive cover-up for what happened when they found a copy of "Penetration Training 14" on the CEO's desk, and a bottle of hand lotion in the drawer.