14 DAY TRIAL // A company hired by a Credit Union to assess their security incident response procedures took responsibility for sending the rogue snail-mail package purporting to be a NCUA letter. The company's CEO explained that the way this exercise eventually played out was not intended, but congratulated everyone, including the media and the security community for how they treated it.
On August 2005, the National Credit Union Administration (NCUA) issued a security alert. The advisory revealed that an unnamed Credit Union received a package via regular mail containing a fake letter and malware-infected CDs, claiming to originate from the federal agency. The security community and the media, including us, subsequently reported on the story thus helping raise awareness about the unusual attack vector.
It was later revealed, however, that the incident was the result of a security test performed by a company called MicroSolved, which was contracted by the Credit Union. The company's CEO, Brent Huston, noted that the intended scope of the test should have been much more limited, but that it escalated due to an unforeseen situation.
"The client had received the letter and CD set in the mail, just as intended and called for in their testing agreement. However, on their side, the person responsible for the penetration test was out the day the letter arrived. The receiver of the letter followed their incident response process and reported the suspicious activity to the NCUA Fraud Hotline, just as they are supposed to do," he explains.
Unaware of the ongoing test, the NCUA staff proceeded to issue a fraud alert about what they thought at the time was a real threat. The security assessment company became aware of what happened only after seeing the NCUA advisory and immediately contacted the agency to inform them of the exercise.
"The NCUA was wonderful to work with, understood the situation and seemed appreciative of our efforts to help ensure that their members were meeting the requirements of NCUA 748, which calls for the protection of member data against illicit access, including social engineering attacks like these," said Mr. Huston, who called the incident a successful test nevertheless.
"This was a controlled exercise in which the process worked. The social engineering attack itself was unsuccessful and drew the attention of the proper authorities," he noted, adding that "The NCUA did a great job of getting the word out that such an attack had occurred and the media and security folks did a great job in spreading the word to prevent further exposures to this threat vector. Everyone, and I do mean everyone, is to be congratulated here for their efforts!"
Even though this proved to be just an exercise, people should be aware that real-world unusual social engineering attacks like this do exist. There have been cases where infected USB memory sticks have been intentionally left by cybercrooks outside organizations in the hope that some curious employees will find them and plug them into a computer on the internal networks.
Back in February, we reported about a malware distribution campaign that used fake parking violation fliers left under the windshield wipers of cars in a parking lot. The fliers directed car owners to a malicious URL that, when visited, attempted to infect their computers.