Targeted Malware Distribution Attacks via Regular Mail

The U.S. National Credit Union Administration (NCUA) is warning of an unusually high targeted malware distribution campaign that makes use of regular mail to reach potential victims. A credit union has recently reported receiving a package that contained a fake NCUA fraud alert letter and CDs infected with malware.

In the rogue letter, the attackers make use of advanced social engineering to entice credit union employees into running the malicious software. More specifically, the bogus fraud alert describes real phishing attacks using a credible language and claims to offer training material on the CDs.

"The NCUA has warned numerous times about 'phishing' scams in which crooks send e-mails claiming to be from legitimate financial institutions, companies, or government agencies asking consumers to 'verify' or 're-submit' confidential information such as bank account and credit card numbers, Social Security Numbers, passwords, and personal identification numbers. A variant of that approach using telephone systems, vishing, is increasingly being used to obtain this information from unwary consumers," reads the letter (PDF) allegedly signed by Michael E. Fryzel, chairman of the National Credit Union Administration Board.

As a result of this incident, NCUA has issued a real alert to "all federally insured credit unions." The advisory does not go into specifics regarding the nature of malware found on the CDs, but since the fake "NCUA Letter to Federal Credit Unions" suggests reading "the included document," it might come under the form of a malicious PDF file rigged with an Adobe Reader exploit. "Should you receive this package or a similar package DO NOT run the CDs. You should contact your NCUA Regional Office or the NCUA Fraud Hotline at 1-800-827-9650," the NCUA warns.

Orchestrating such attacks via snail-mail might not look like a very effective approach, especially from a time and scope perspective. Cybercrooks usually prefer hitting a large number of individuals as quickly and with as few resources as possible, basically looking to maximize their return on investment.

However, unlike mass campaigns that usually attract a lot of attention and are quickly blocked, this targeted attack is a lot more subtle, credible and deceptive, as it reaches its potential victims through a totally unexpected channel. There is no way of knowing how many credit union workers actually fell for this scam until someone had the idea of checking the letter's authenticity by calling NCUA. It is very possible that the cybercrooks might have already reached their intended goal by now.