Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Security testing organisation MicroSolved sent a package to a credit union client last week containing a fraudulent letter seemingly coming from the National Credit Union Administration (NCUA). Also contained in the package were two CD-ROMs, part of a penetration test, MicroSolved said in a blog post. However, on the day the package was received, the person responsible for the test was out of the office. So the employee who received the suspicious letter, which bore a NCUA logo and the bogus signature of former chairman Michael Fryzel, reported it to the NCUA fraud hotline.On being notified of the suspicious letter and CD-ROMs, the NCUA issued an alert, warning all federal credit unions of the potentially dangerous disks. NCUA's alert warned that the bogus letter directed recipients to run the educational CD-ROMs, but doing so could potentially result in a security breach. MicroSolved said that the disks contained “simulated malware”, which is safe, does not propagate, and is used for testing purposes. In a news release, the NCUA said the incident was isolated to one credit union, and no others should have received the package“This was a controlled exercise in which the process worked,” MicroSolved said in its blog post. “The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement.”In addition, though the outcome of the test was unintended, the employee's reaction to the suspicious package was exemplary, MicroSolved said. The employee followed proper incident response processes by reporting the suspicious package to the hot line."That the intended contact was not there made this a real world test," Randy Abrams, director of technical education at ESET, wrote in a comment on MicroSolved's blog post about the incident. "The employee who blew the whistle should be congratulated on a job well done. The fact that the alert went out means that many more people were educated against one potential attack vector.”Abrams told SCMagazineUS.com that those who trained the employee "deserve kudos as well."But not everyone has been as enthusiastic about the test. While MicroSolved said in its blog post that the NCUA, "understood the situation and seemed appreciative of our efforts", the NCUA said in its own news release Friday that the penetration test utilised “unauthorized and improper use of the NCUA logo.”“Credit unions are not authorized to create facsimile documents bearing NCUA logos or signatures, or to improperly represent communications from NCUA, even during the legitimate conduct of business, such as a computer security assessment,” the organisation said.In addition, another commenter on the MicroSolved blog wrote, "I wonder if spoofing NCUA is the best idea. I know that I would not be happy if I found out that a company was pretending to be us to fool someone into responding to a social engineering attack."See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.