Malware in CD-ROM discs mailed to banks

August 26, 2009

The National Credit Union Administration (NCUA) has released an alert for all federally insured credit unions about bogus letters being mailed to credit unions accompanied by compact discs. The subject of the fraudulent letter is a purported NCUA fraud alert that advises the credit unions to review the training materials on the discs. However the discs in fact contain malware.1

Other similar tactics used in the past to infect people include USB keys loaded with malware being dropped in parking lots for unsuspecting victims to insert into their computers2, and fake parking violation tickets placed under windshield wipers that included a malicious web address for the victim to visit.3

Aug/27/2009 update: According to SANS, the mailing was part of an authorized pentration test.4

1. "Fraud Alert", National Credit Union Administration, August 25, 2009

2. "Security Watch Island Hopping: The Infectious Allure of Vendor Swag", Microsoft TechNet, January 2008

3. "Malware infection that began with windshield fliers", SANS Internet Storm Center, February 3, 2009

4. "Malicious CD ROMs mailed to banks", SANS Internet Storm Center, August 27, 2009