Someone’s been mailing letters purporting to be from the National Credit Union Administration to credit unions throughout the U.S. The letters ask the recipients to view training material on enclosed CDs. Not too surprisingly, the unexpected letters turned out to be fake and the CDs loaded with malware.The surprising part, though, is that the attack was fake, too.
“The malware-infected CDs that were mailed to some credit unions may have been part of a penetration test designed to gauge whether an employee would run the software. The SANS Internet Storm Center says it was notified by a representative from Microsolved that the mailing was part of an authorized pen test.”
As far as I can work it out, the letters were fake. Maybe double-fake, since they were from penetration testers pretending to be attackers pretending to be NCUA officials warning about attacks… or is that triple-fake? But nevertheless, the malware was real. The NCUA has issued a warning that playing the CDs could lead to a security breach or have other adverse consequences.
~ Ivy Wigmore