August 27th, 2009
Hackers mailing malware-infested CDs to banks
Just call it the throwback attack. (See important update below)
Reminiscent of the days when viruses were distributed on floppy disks, cybercriminals are currently mailing infected CDs to credit unions and smaller banks as part of a clever offline scheme to load malicious software into computers with valuable data.
According to an alert issued by the National Credit Union Association, a credit union reported receiving a bogus fraud advisory accompanied by two compact discs.
The letter advises credit unions to review training material (contained on the CDs). DOING SO COULD RESULT IN A POSSIBLE SECURITY BREACH TO YOUR COMPUTER SYSTEM, OR HAVE OTHER ADVERSE CONSEQUENCES.
The letter (PDF) contains several spelling and grammatical errors but, as Dennis Fisher points out here, this low-tech attack method can be highly effective because smaller businesses are not properly equipped and educated to deal with these types of threats:
An interesting point here is that the thieves are targeting credit unions, which tend to be smaller, community-based institutions, rather than larger, more sophisticated banks. Many credit unions have just a handful of branches and may not have the dedicated security staffs that national banks have.
In effect, this is simply an offline extension of the highly targeted spear-phishing attacks that have been plaguing smaller financial institutions for a couple of years. But it’s one that’s potentially effective and damaging.
Separately, the Washington Post has a scary report about organized cyber-gangs in Eastern Europe preying on small and mid-size companies in the United States.
Because the targets tend to be smaller, the attacks have attracted little of the notoriety that has followed larger-scale breaches at big retailers and government agencies. But the industry group said some companies have suffered hundreds of thousands of dollars or more in losses.
Many have begun to come forward to tell their tales. In July, a school district near Pittsburgh sued to recover $700,000 taken from it. In May, a Texas company was robbed of $1.2 million. An electronics testing firm in Baton Rouge, La., said it was bilked of nearly $100,000.
In many cases, the advisory warned, the scammers infiltrate companies in a similar fashion: They send a targeted e-mail to the company’s controller or treasurer, a message that contains either a virus-laden attachment or a link that — when opened — surreptitiously installs malicious software designed to steal passwords. Armed with those credentials, the crooks then initiate a series of wire transfers, usually in increments of less than $10,000 to avoid banks’ anti-money-laundering reporting requirements.
I’m willing to bet these malicious Trojans are being installed via known security holes in popular desktop software products. My advice: Patch, patch, patch! Pay special attention to the most commonly exploited software products, especially Adobe Flash, Adobe Reader/Acrobat, popular Web browsers (Internet Explorer, Firefox or Safari), QuickTime, iTunes and RealPlayer.
If you don’t need these software products as part of your business operation, you should immediately uninstall them all.
UPDATE: The SANS ISC is reporting that the mailed CDs were part of a sanctioned penetration test.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
