It looks like some criminals are resorting to real-world exploits to further their virtual-world crimes. It makes sense since the past couple of years or so has seen an unprecedented amount of interest in data security, like AlertBoot drive encryption software for laptops and storage devices, firewalls for on-line protection, etc.
And, they’re getting much more imaginative.
According to the National Credit Union Administration, a scam is being perpetrated via the postal mail against financial institutions. Fraudulent letters, accompanied by two CDs, are being sent to banks and the like, claiming these are training materials. They, however, are actually disks carrying malicious programs.
Since most computers are set to automatically run programs when CDs are inserted, if said malicious programs made use of the autorun feature, computers would be infected before the computer user knew what was going on.
More likely, there’s some made-up content that resembles training materials, and in the process of going through them, you click a button and you’re infected. The victim is never aware of the incident.
There are certain ways of preventing this from happening. One would be to disable the autorun feature.
Another would be making use of application control whitelists–or blacklists…although, a blacklist would probably not work in this case. I mean, how do you tell a computer not to run a program you didn’t know existed until you popped the CD in?–so that only authorized programs are allowed to run on the computer.
A third one, and the one that I prefer, is to have a separate computer just for checking stuff. When I was in college, we had an old, beat-up computer that sat on the corner of the computer lab. It was used to scan for known viruses on storage such as floppy drives, zip drives, and CDs. It wasn’t even that powerful…the year was 1998, and the computer was a 386, I think. Like I said, beat up. And, obviously, it was a standalone computer, disconnected from any networks.
It’s not the sexiest solution, but it’s one of the most foolproof methods I know for preventing outside elements into your network.
Update (28 AUG 2009): There are reports that the above may not be an actual attack, but part of a penetration test. A penetration test is a paid attack, where professionals try to penetrate an organization’s (data) defenses to see where its weaknesses may lie. However, generally, higher-ups are aware of such penetration tests, and wouldn’t have allowed its effects to spill over to other organizations–namely, the NCUA that is alerting all credit unions it knows of. If this is a penetration test, they’ve (whoever “they” might be) certainly forgotten to cross their T’s and dot their I’s…
Update II (28 AUG 2009): It’s official: the CDs were sent as part of a penetration test. And, the reaction by the banks receiving the CDs and by the NCUA was real. The system works! (http://www.computerworld.com/s/article/9137215/Security_test_prompts_federal_fraud_alert?taxonomyId=17)
Related Articles and Sites: