'Spear-Phishing' Attack Targets CEOs, Senior Managers

Register now

Credit unions are being warned of a new "spear phishing" scam targeting CEOs that tries to take advantage of a recently patched Internet Explorer hole to compromise credit union computers.

The attacks, according to the Credit Union Information Security Professionals Association (CUISPA), use e-mail messages sent to CEOs and other top executives that contain a link to a web page that attempts to download a Trojan horse program onto the executives' computers.

According to CUISPA, several credit union executives have reported such attacks, known as spear phishing, because they target specific employees. Hudson Valley Federal Credit Union reported receiving 12 such e-mails, all targeted at directors and senior managers.

The text of the e-mail, which was also received at The Credit Union Journal, reads, "Good Day. I recently came across this credit union: http://www.wrdfcu.org that is affiliated with your organization. They claim to have higher interest rates than any other federal credit union. After speaking with a representative their, I would like to have a second opinion in regards to their creditability. Are they really registered with the federal government as an official credit union? Thank you for your assistants."

CUISPA noted the numerous grammatical and spelling errors in the e-mail are a tip-off to its questionable origins.

In its warning to credit unions, CUISPA notes that by clicking on the link in the letter, the recipient unknowingly activates a program designed to exploit a flaw in Microsoft Internet Explorer.

"By exploiting the flaw, the attacker can perform a denial-of-service attack or potentially execute code remotely with the log-on privileges of the user," CUISPA said, urging credit unions to educate their employees about such threats. "The exploit could be triggered by simply viewing a specially crafted HTML document, hosted on a remote website, or sent in e-mail, or by browsing a network share if ActiveDesktop is enabled. All of which would likely go unnoticed by the email recipient. While proper security controls can prevent this type of malicious executable from launching, as was the case with the West Coast credit union, it is important for credit unions to educate their staff and be on the lookout for variants of this type of attack."

For info: www.cuispa.org.

For reprint and licensing requests for this article, click here.