August 27, 2009

Banks Receive Fake Training CDs from NCUA...oh wait...

As reported by the SANS Internet Storm Center, some banks reported receiving what appeared to be letters and training materials from the National Credit Union Administration (NCUA). The training materials consisted CDs.

Then you hear this over the PA system:
This was a test of the emergency broadcast system. This was only a test.
Closer inspection reveals that the letters were fake and the CDs contained malware. Pretty interesting scam involving physical world and computer security.

Ha. So Brent Huston from Microsolved contacts the SANS folks letting them know that he sent those as part of a penetration test his company was performing. Wow, good test and probably was successful. I bet some people put those CDs in their computers.

This was a great awareness event for training our users. I fully expect to see the criminals start using this technique more. :(