Forgot your password?
typodupeerror
Security IT

Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD 205

Posted by timothy
from the please-avoid-mine dept.
redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.
This discussion has been archived. No new comments can be posted.

Hackers (or Pen-Testers) Hit Credit Unions With Malware on CD

Comments Filter:
  • by Shakrai (717556) on Thursday August 27, 2009 @07:46PM (#29225059) Journal

    One of my consulting clients is a small (<$10,000,000 in assets) credit union. The disk was mailed directly to the CEO. According to him the letter contained therein actually resembled the form and structure of NCUA correspondence but had grammatical errors. I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

    Thankfully he knew better than to load random CDs received in the mail and gave me a call. The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously. I hope they catch the bastards. Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

    • by CannonballHead (842625) on Thursday August 27, 2009 @07:48PM (#29225075)

      Mail fraud, financial fraud, computer fraud and forgery. What have I missed?

      We're on Slashdot. At least insult them properly: they probably use Windows.

      • by Shakrai (717556) on Thursday August 27, 2009 @08:16PM (#29225337) Journal

        The backend software package used by this particular credit union actually runs on Linux and Oracle. All but one of the workstations run Linux too. The holdout is a Windows 2000 machine that they keep around for some legacy software that they haven't been able to replace. The tellers don't even realize it's Linux because they are locked into the interface for the management system and can't navigate out of it. The loan officers can navigate out of it but the only other applications they have access to are Open Office and a handful of white-listed websites (webmail, credit scoring and a few compliance sites).

        That's actually how I got the gig -- I was the only local person who responded to the CEOs bid who had a meaningful amount of Linux experience. He inherited the platform from his predecessor and wasn't inclined to spend the money to migrate to something else. AFAIK the vendor for his software doesn't even offer a Windows server option, although they do have a Windows option for the clients. They had previously used this option until I showed them how much they were spending on software licenses.

        I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

        • Re: (Score:3, Insightful)

          by dltaylor (7510)

          home-brew apps or off-the-shelf package?

          if OTS, whose is it?

        • by libkarl2 (1010619)

          I wish I had been able to copy the CD and play around with the trojans in a sandbox but we were instructed not to touch it after we called the proper authorities. It would have been interesting to see what they were all about and where they are phoning home.

          That was the first thing that popped in to my head when I saw the article. Hacking brand new malware to see how it works and what it does is fascinating to me. Of course, when the Secret Service says "no touch", they really really mean it.

      • Re: (Score:3, Informative)

        by Lord Ender (156273)

        Actually, I know the guys at the company who ran this test. They are definitely a Linux shop. MSI is a do-anything security company that will dig through your trash to test your shredder discipline, send phishing messages to your company to test your employee information security training, and try and sneak into your datacenter to test your security guards, as well as the normal vulnerability scanning type stuff.

        The outrage over this is pretty funny, because the company behind it was under contract from the

    • by shentino (1139071) on Thursday August 27, 2009 @07:57PM (#29225179)

      Actually, mimicking government incompetence is a necessary step to enhancing its value as a forgery.

    • What? A story with a CEO turning out not to do the dumbest thing in history?? Unpossible!

      Are they by any chance... hiring?

      .
      .

      If I were the attacker, I'd do it again. This time properly with no errors at all. And with a special warning included, that fake mailings are in circulation, and with a big official seal of trustworthiness, etc. Something that C?Os love. The whole package of "*drool* want". With no fingerprints, genetic material, etc, but real pressed CDs, with professional labels. I'd let the real NC

    • Re: (Score:3, Insightful)

      by SL Baur (19540)

      I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.

      I find it amusing that someone could be found to code up an auto execute function for inserted media. I find it even more amusing that there was a stupid enough manager to sign off on it.

      Was Dilbert written at Microsoft?

    • by glitch23 (557124)

      The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously.

      Granted, it should be taken seriously since it is a crime after all. However, I didn't know the SS had the time to deal with crimes like this that are not against the POTUS. Did you contact them or did they get contacted indirectly? Just wondering how and why they entered the picture as opposed to the FBI (for interstate crimes). I believe I recall hearing that the SS gets involved with counterfeit operations but never heard them getting involved with malware issues.

      • by TheCabal (215908) on Friday August 28, 2009 @01:43AM (#29227389) Journal

        Secret Service was originally part of the Department of Treasury. Now part of DHS, they still have jurisdiction over counterfeiting and fraud investigations and share jurisdiction with the FBI on some areas such as computer crime. It's well within their baliwick.

      • actually they started as a money protection force and only got the presidential gig later.
        Any time you start dealing with a large about of iffy money then the Secret Service will show up
        (and i think its in the regs for law enforcement that if they see more than X dollars at stake they summon the SS)

    • by lxs (131946)

      People who know how to write properly are usually smart enough not to get mixed up in petty crime.

      If they are of a criminal bent, they get a job at the company and go for the big fraud.

    • by Gilmoure (18428)

      Yup. And Credit Unions are one of the stronger/more reliable financial institutions right now. Hate to see something happen to them.

  • Training (Score:4, Funny)

    by sexconker (1179573) on Thursday August 27, 2009 @07:47PM (#29225065)

    Did the penetration testing "training" CDs at least provide a helpful "Lesson Number 1: Never do what you just did." video?

    • Re: (Score:2, Funny)

      by svtdragon (917476)
      Really, I think this is just a massive cover-up for what happened when they found a copy of "Penetration Training 14" on the CEO's desk, and a bottle of hand lotion in the drawer.
  • Windows Autorun (Score:3, Insightful)

    by Anonymous Coward on Thursday August 27, 2009 @07:57PM (#29225185)

    The problem here is Windows Autorun. As soon as you insert a CD, Windows checks for the presence of an "autorun.inf" file, and if it exists, it can specify a binary program on the disc to execute immediately, as whatever user is currently logged in. Thus, killing your security immediately.

    • Re: (Score:2, Informative)

      Recent versions of Windows prompts and asks if you want to run it.
    • Re:Windows Autorun (Score:4, Informative)

      by sexconker (1179573) on Thursday August 27, 2009 @08:03PM (#29225217)

      Easily disabled or dismissed.

      The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".

      • Re:Windows Autorun (Score:5, Insightful)

        by 0123456 (636235) on Thursday August 27, 2009 @08:41PM (#29225577)

        Easily disabled or dismissed.

        Uh, no; there are so many different places where autorun is configured in Windows that the average clueless user has no hope of managing to completely disable it. The whole thing is a disaster.

        • Re:Windows Autorun (Score:5, Informative)

          by Vancorps (746090) on Thursday August 27, 2009 @08:58PM (#29225685)
          ummm... there is one place to disable autorun on removable media although there are multiple methods available for accomplishing this task. Are you referring to auto-execution of other vectors? Like emails? Here's a reference [microsoft.com] for you to help you out. Windows XP or above you just modify it in the local security policy and you're done. Of course with Vista and Win7 they ask you if you want to run autorun so you don't really have to do anything.
        • by TheCabal (215908)

          You mean you're challenged by the nice little GUI that says "Turn off Autoplay"? If a GUI is a challenge, how are you ever going to master the command line?

        • How right you are. For their needs maybe they couldn't tell the difference if you used another OS and applications on Linux. Just rename them. Like call firefox IE and so on. If you were real clever you could probably move the Icons too. I know I did this FireFox on Windows a few years back to stop spyware and it worked for a couple of years. Now they just go out on the net and run programs without permission. I can't just shut it all down either, the higher ups get mad at you for this as they are the worst

      • Re:Windows Autorun (Score:4, Informative)

        by iYk6 (1425255) on Thursday August 27, 2009 @08:54PM (#29225661)

        Easily disabled

        Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.

        or dismissed.

        For some versions of Windows, yes. For the most popular version in credit unions (based on my limited anecdotal experience) "dismissing" is not an option. Windows 2K just runs whatever the CD tells it to.

        The real issue here is that without autorun, idiots would open My Computer, open up D:\, and double-click "Training.exe".

        Users will do silly things, but that is no reason to just give up on security and make an OS insecure by default.

        • by CSMatt (1175471)

          Easy for an experienced computer user, yes. We can just look up on the internet which registry key needs to be changed, and to what, and then we do it. For most users this is too much, and the registry is pretty scary to them.

          Of course, you could also just hold down the shift key.

        • Re: (Score:3, Insightful)

          by TheCabal (215908)

          Any financial institution that deploys a "bare metal" installation of ANY OS without any hardening, be it Windows, Linux or whatever, shouldn't be handling the public's money to begin with and needs to be slapped severely about the face and ears. I wouldn't deploy a stock install of Linux either without spending time hardening it. Anyone who thinks Linux is "Secure by default" has drunk a little too much of the Kool-Aid. Believe me when I say that Windows can be hardened to a point where it is rather diffic

  • Another scam (Score:4, Insightful)

    by Orion Blastar (457579) <[orionblastar] [at] [gmail.com]> on Thursday August 27, 2009 @08:02PM (#29225205) Homepage Journal

    like those Emails from Microsoft with attachments that say they are operating system patches you must install to prevent a virus.

    Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.

    The attached files usually have malware in them.

    Microsoft does updates via Windows Update or Microsoft Update or via their web site in downloading patches, they never attach the patches to email.

    I also get mail saying I won the UK Microsoft lottery and other BS as well. I am keeping a "Scams" folder for that sort of stuff.

    I'd expect Credit Unions to have better sense than to run random CDs on their systems without verifying that the NCUA sent them. "What? We didn't send them to you."

    • Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.

      Can't you spoof an email address if you do not need to receive a reply? I remember doing this a few years ago. Maybe they patched it now, with the spam filters and such...

      • by Kozz (7764) on Thursday August 27, 2009 @09:29PM (#29225931)

        Yep, trivial.

        Years back (about 1995 or so) I configured my MTA to provide "president@whitehouse.gov" as the "From" address when I sent an obvious prank to a co-worker. He replied (!) cussing me out and joking, "I'm going to kill you". You can imagine he quickly realized what he'd done and sent another email explaining himself. Who knows if he managed to get himself on an FBI watchlist or not. ;)

        • Re: (Score:2, Funny)

          A friend of mine in university got in a bit of trouble when he spoofed the reply address in a joke email. The IT dept wasn't happy they had to explain to a student that they didn't really get an email from god@heaven.com.
        • I once played around with that, 10, 12 years ago, writing emails using telnet -- ostentatiously with an address billgates@microsoft.de (or some such shenanigans). Apparently I did something wrong, because a couple of days later I got a stern but friendly mail from a Microsoft admin. I probably sent it to myself, misspelled my own address and it got bounced back to them.

    • by Vancorps (746090)

      Microsoft will send you direct links to download hotfixes when you request them from their website. Not quite the same as an attachment and you have to request it first but it would be the same result if you got such an email while you were expecting a reply from Microsoft which can sometimes take a few days.

      I created a spam account on our domain where users can forward their spam if they are getting it on a regular basis. That way I can extend my filters and content blockers. Keeps the spam pretty low for

    • Hey! Shhh... I'm twying to hunt wetawds hewe...

      *sends out more very obvious scams targeted at IQs below 80*

      You know... fow natuwaw sewection and such...

  • by improfane (855034) on Thursday August 27, 2009 @08:04PM (#29225233) Journal

    Expect malware to appear or be in the wild already on/in:

    • pirated DVDs, the ones with dual film and PC content, like the Pokemon DVDs
    • more flash drives
    • mp3 players, iPods (using hard drive mode)
    • Music CDs, the ones with dual PC and audio player content
    • Facebook applications
    • second hand routers (Linux routers)
    • second hand laptops and computers
    • more flash drives
    • Windows install CDs
    • FireFox plugins
    • web development templates
    • Packages (deb, rpm whatever), makefiles etc
    • PDF files

    The more I use my laptop, the more I wish to install a hypervisor on the BIOS (preferably based on Linux CoreBOOT or something) and use it to track my laptop and profit from it if it gets stolen.

    Hey if someone steals my laptop, sit and cry?

    • Don't bother. At the rate malware is proliferating, somebody will install a hypervisor on your BIOS for you. Think of it as a "citizen's automatic update".
      • Re: (Score:3, Insightful)

        by rtb61 (674572)

        At the current price why would anyone bother with second hand routers, switches etc. They would do it with new gear, redo the factory default in a chip programmer and, then offer them at a discount, in the thousands. Especially with countries deeming it appropriate to become involved in large scale computer hacking as intelligence operations and, for the inevitable rogue agents and contractors, a future 'route' to profits.

        • by fluffy99 (870997)

          Happens more often that you'd realize. China is very, very good at hacking and spying. They also happen to manufacture a significant portion of the IT components that we all buy and consider trustworthy. I've convinced that if we ever piss of China, they can send out some magic icmp packet that will start bricking every Cisco switch in the US.

        • by TheCabal (215908)

          Where do you think Cisco has all of its gear manufactured?

          Now think just a few years back when the FBI release a warning about fake Cisco gear coming out of China with possibly some dodgy software loaded?

  • by twistah (194990) on Thursday August 27, 2009 @08:41PM (#29225581)

    Aside from the usual gripes about the efficacy of pen-testing, this gives pen-testing a bad name. The firm I work for does this exact same ploy, and so do teams from the Big 4 and various security firms, but they are always planned ahead of time. You have to do this sort of thing in a controlled manner (or as controlled as possible.) Usually, these things are dropped in a parking lot, the the payload is innocous, because a customer (or member in the case of a CU) can pick it up. These guys exposed themselves to a lot of liability and can screw it up for honest hardworking sellout hackers such myself and others.

  • by rayd75 (258138) on Thursday August 27, 2009 @09:08PM (#29225761)

    In fact, I've used it. Until last year I worked for a credit union and frequently described a scenario almost exactly like this to justify things like a least-privilege security model for end users. It's scary to consider what an attacker might be able to accomplish with a scheme like this. The article only touches the surface in pointing out that credit unions are typically smaller than banks and lack security resources. Mine was one of the largest and probably the most technologically progressive credit union in my state but I had a lot of interaction with smaller credit unions due to their cooperative, less competitive nature. (less competitive with each other, that is.) My experience is that most credit unions have IT departments that can be counted on one hand, and no security-oriented individuals on staff at all. (IT or otherwise) In fact, there are many credit unions whose ENTIRE staff can be counted on one hand. Not long before I left, we absorbed a failed credit union's assets and member base at the NCUA's request. This particular example's infrastructure consisted of three desktop computers and an Access database. Credit unions make great financial sense but only the largest ones have the kind of IT and security resources most of us associate with a bank.

  • Hostile takeover by Sony?
  • Truly, there's a sucker born every minute. Most of them seem to wind up working in business, and most of them have the technological competence of a retarded toaster. With any luck, the movers and shakers will figure out that paying the IT guy more than minimum wage...and having somebody competent to watch over HIM...is a wise investment.

    • by Lumpy (12016)

      With any luck, the movers and shakers will figure out that paying the IT guy more than minimum wage...and having somebody competent to watch over HIM...is a wise investment.

      Only when they realize paying an Executive to play golf and schmoose all day for ungodly amounts of money a year is stupid and eliminate the worthless position all together.

      for every underpaid IT guy there is at least 1 worthless Executive that can be tossed out of the company and nobody would notice. It amazes me how many executive pos

  • Often are the best.

You can do more with a kind word and a gun than with just a kind word. - Al Capone

Working...