Incident of the Week: NCUA Issues Fraud Alert Based On Fake NCUA Fraud Alert (Which Turns Out To Be Part of Security Consultant’s Penetration Testing)

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned “Should you receive this package or a similar package DO NOT run the CDs.”  The NCUA, which regulates federally insured credit unions, was tipped off to the fake Fraud Alert by a single credit union.

As it turns out, the credit union was undergoing security penetration testing and the security firm involved, MicroSolved, Inc., put together the fake Fraud Alert to test whether the credit union was secure against this sort of social engineering scam.  When it learned of this wrinkle, the NCUA issued an update to its Fraud Alert stating:

This was an unauthorized and improper use of the NCUA logo, and also included a falsified signature of then-Chairman Michael Fryzel. The bogus alert was forwarded to NCUA, prompting the issuance of the August 25 Fraud Alert. The false Fraud Alert appears to be confined to that credit union, and is not wide-spread.

It appears that the original credit union passed its security test with flying colors. ComputerWorld obtained a number of noteworthy comments in its article on the subject, but one that stands out is from SANS Institute security researcher, Johannes Ullrich, who observed that the tactic of sending fraudulent regulatory alerts with malware was something seemingly invented by security consultants.  “I thought, ‘Finally this is in the wild, because I’ve only seen it in pen tests before.'”

Leave a Reply

Your email address will not be published. Required fields are marked *