Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD 205
redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.
I actually saw one of these.... (Score:5, Informative)
One of my consulting clients is a small (<$10,000,000 in assets) credit union. The disk was mailed directly to the CEO. According to him the letter contained therein actually resembled the form and structure of NCUA correspondence but had grammatical errors. I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.
Thankfully he knew better than to load random CDs received in the mail and gave me a call. The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously. I hope they catch the bastards. Mail fraud, financial fraud, computer fraud and forgery. What have I missed?
Re:Mailing is to customers (Score:1, Informative)
Re:Windows Autorun (Score:2, Informative)
Re:Windows Autorun (Score:4, Informative)
Easily disabled or dismissed.
The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".
Re:Mailing is to customers (Score:3, Informative)
Actually Credit Union customers get "Phising" emails that pretend to be from the Credit Union and goes to a fake web site that looks like the Credit Union but steals their password, user ID, account number, etc.
This happened to a friend of mine, and he phoned it in and the Credit Union asked him to come into their nearest branch and present ID and get his account changed to verify who he is, only the Credit Union near him closed down and he didn't know it and the next one was 100 miles away. He had to drive that far to resolve the problem and eventually switched to a different Credit Unions. It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.
Re:I actually saw one of these.... (Score:5, Informative)
Umm, do you know what the definition of a credit union is? It's a member-owned cooperative financial institution. It's not a "debt institution". They loan money at extremely competitive rates and have no direct profit incentive other than the goal of paying a competitive dividend (interest) on their members deposits.
Go find one in your local area. Most of them are much more pleasurable to do business with than any bank. Community banks occasionally match them for customer service but no national bank ever will. I've yet to have one of my calls to my credit union answered in India or to have the interest rate on my credit card jacked up just because they can.
Re:I actually saw one of these.... (Score:5, Informative)
From the Secret Service website [secretservice.gov]:
"1984 Congress enacted legislation making the fraudulent use of credit and debit cards a federal violation. The law also authorized the Secret Service to investigate violations relating to credit and debit card fraud, federal-interest computer fraud, and fraudulent identification documents."
"2001 The Patriot Act (Public Law 107-56) increased the Secret Service's role in investigating fraud and related activity in connections with computers. In addition it authorized the Director of the Secret Service to establish nationwide electronic crimes taskforces to assist the law enforcement, private sector and academia in detecting and suppressing computer-based crime; increased the statutory penalties for the manufacturing, possession, dealing and passing of counterfeit U.S. or foreign obligations; and allowed enforcement action to be taken to protect our financial payment systems while combating transnational financial crimes directed by terrorists or other criminals. "
Having the secret service investigate a cracking attempt at a bank is about as natural as having the local cops investigate a burglary. These guys are, in essence, the counterfeit currency and bank haxx0ring police, the protecting the president gig is just a flashy sideline. The fact that we have a dedicated counterfeit currency and bank haxx0ring police force does indeed say something about our priorities; but the fact that a police force does exactly what it was set up to do isn't much of a demonstration in itself.
Re:Mailing is to customers (Score:4, Informative)
It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.
Where are you getting your information from? There's been a handful of credit unions that have failed but taken as a whole they've failed at a significantly lower rate than the banks. This is actually a boom time for credit unions and local community banks because the big boys are cutting back and people are looking for an alternative. The big players are closing accounts, jacking up interest rates and imposing all sorts of new fees. The credit unions are humming along with the same business model they've had for the last few decades: Slow sustained growth backed by proper lending standards and an emphasis on member service
Go through the NCUA/FDIC data some time and compare the percentage of "well capitalized" credit unions to the percentage of similarly capitalized banks. I think you'll find that credit unions are doing just fine.
Bad name for pen-testing (Score:5, Informative)
Aside from the usual gripes about the efficacy of pen-testing, this gives pen-testing a bad name. The firm I work for does this exact same ploy, and so do teams from the Big 4 and various security firms, but they are always planned ahead of time. You have to do this sort of thing in a controlled manner (or as controlled as possible.) Usually, these things are dropped in a parking lot, the the payload is innocous, because a customer (or member in the case of a CU) can pick it up. These guys exposed themselves to a lot of liability and can screw it up for honest hardworking sellout hackers such myself and others.
Re:Windows Autorun (Score:4, Informative)
Easily disabled
Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.
or dismissed.
For some versions of Windows, yes. For the most popular version in credit unions (based on my limited anecdotal experience) "dismissing" is not an option. Windows 2K just runs whatever the CD tells it to.
The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".
Users will do silly things, but that is no reason to just give up on security and make an OS insecure by default.
Re:Hackers can be pen testers (Score:2, Informative)
No, the descriptivists are right. Probably even in France.
If nearly every language had not changed drastically over time, there might at least be an interesting conversation there, but alas.
Re:Windows Autorun (Score:5, Informative)
Re:I actually saw one of these.... (Score:3, Informative)
Yea, I think more people would bank at credit unions if they knew about them. I'd never heard of a credit union myself until I went to college (in Urbana-Champaign, IL of all places). Actually, I thought that "credit union" was just the name of a popular banking chain in the Midwest, like Wells Fargo or Bank of America or something. It wasn't until my roommate explained to me what a credit unit was that I actually learned what they were.
Frankly, I'm kinda surprised that the Midwest has so many power co-ops and credit union while the part of Southern California I live in has neither. Maybe the poorer communities here have never heard of them or don't have the resources to set them up, while the rich communities just don't care for that sort of cooperative community organization (I suppose stocks, private equities, and off-shore bank accounts pay better).
Next we just need to extend the idea of credit unions & power co-ops to telecommunications, so we'll finally have decent broadband and mobile phone service that doesn't screw over consumers.
Re:Hackers can be pen testers (Score:1, Informative)
lol. I bet he tells people that he is gay when he is happy too,
Re:I actually saw one of these.... (Score:3, Informative)
In fact the only reason that they do protect the president is back when the issue came up, they were it for federal law enforcement. When congress wanted protection for the president (when McKinley was assassinated) they were pretty much the only choice. There was no FBI, the US Marshals didn't have the man power, and the US Postal Inspectors were just for the post office.
Perhaps they should have created a specific police force for presidential protection, but they didn't.
However, just because the USSS had a new job, didn't mean they stopped doing their old jobs. They were still tasked with protecting the nation's money, they just had another job to do now as well.
Re:I actually saw one of these.... (Score:5, Informative)
Secret Service was originally part of the Department of Treasury. Now part of DHS, they still have jurisdiction over counterfeiting and fraud investigations and share jurisdiction with the FBI on some areas such as computer crime. It's well within their baliwick.
Re:I actually saw one of these.... (Score:3, Informative)
Actually, I know the guys at the company who ran this test. They are definitely a Linux shop. MSI is a do-anything security company that will dig through your trash to test your shredder discipline, send phishing messages to your company to test your employee information security training, and try and sneak into your datacenter to test your security guards, as well as the normal vulnerability scanning type stuff.
The outrage over this is pretty funny, because the company behind it was under contract from the organizations which were mailed. What a great big bag of lulz.