Malicious CD Package Might Just be a Part of Penetration Test
MicroSolved, a company hired by a Credit Union to evaluate its security incident response procedures, has admitted that it send a forged snail-mail package that purported to be a letter from National Credit Union Association (NCUA).
Reportedly, earlier in August 2009, NCUA issued a security alert. The alert revealed that an anonymous credit union got a package via regular mail. The package contained a bogus letter and malicious CDs that claimed to emerge from the federal agency.
To raise awareness about this unusual mode of attack, media and the security community subsequently reported the incident.
However, it was later revealed that the incident was the outcome of a security test conducted by MicroSolved. As per the news published by Softpedia on August 31, 2009, Brent Huston, CEO of the company, noted that the projected extent of that test was supposed to be limited, which however increased due to an untoward situation.
MicroSolved stated that a client of the credit union received a package from MicroSolved in the last week of August 2009 that contained a fake letter purporting to be dispatched by NCUA along with two CD-ROMs as a part of a penetration test.
The person in charge of the test was not in the office on that particular day when the package was received. So he case was reported to the NCUA fraud hotline by the other employee who received the fake letter, depicting a NCUA logo and fake signature of former Chairman Michael Fryzel.
The NCUA then issued an alert, warning all federal credit unions of the potentially unsafe disks. The alert cautioned that the counterfeit letter directed recipients to run the educational CD-ROMs, which could result into a security breach.
As said by MicroSolved, the disks had "simulated malware", which is used for testing purpose and is safe and does not spread. NCUA in a news release stated that the incident was aimed at a particular credit union, and so others should not have received the package.
In the meantime, a spokesperson from MicroSolved explained that the test was not intended at all to play out in such a way, but he appreciated security community and media for the way they treated the entire matter.
Related article: Malicious Scripts with Zero-byte Padding can Pass Undetected
» SPAMfighter News - 21-09-2009