The Grinch Who Phished Christmas

Register now

Phishers are sharpening their claws, and that has made for nastier attacks against credit unions, according to one credit union that survived six scams during the winter holidays.

"Don't think that it can't or won't happen to you in the future," said John Brozycki, network administrator at $2-billion Hudson Valley FCU (HVFCU), Poughkeepsie, N.Y. "The phishers are only going to continue to improve their attacks."

In what have been dubbed 'spear phishing' attacks, hackers recently tried to tailor their fraudulent e-mails to specific credit union executives nationwide, cashing in on new Windows vulnerabilities before Microsoft Corp. could issue software patches.

In addition to milking such "zero-day" exploits, phishers are refining their English language usage, e-mail address lists and social engineering techniques in order to trick e-mail and Internet users, Brozycki said.

In December and January, HVFCU faced two spear phishing attempts and four distinct member phishing attacks from all over the world in less than two weeks, said Brozycki.

Brozycki spoke to 120 CU Information Technology managers last month at the first annual Credit Union IT Risk Management Summit, sponsored by the Credit Union Information Security Professionals Association (CUISPA).

Though some clicked the links contained in the spear phishing e-mails targeted for HVFCU executives, antivirus software was the "saving grace," preventing the linked software from downloading onto the CU's machines, Brozycki said.

"Our PCs would have been compromised if our antivirus hadn't been updated and detected the vulnerability and prevented the exploit," he said.

CUs need to efficiently bring down fraudulent phishing sites before members visit them, Brozycki said. He encouraged IT managers to "talk to the takedown companies" for assistance. Takedown services contact Internet Service Providers (ISP) to request that fraudulent sites be shut down. "Whether or not you're technically capable, it takes a toll trying to take these sites down yourself," he said.

For those CUs taking matters into their own hands, Brozycki suggested consulting the non-profit American Registry for Internet Numbers to identify IP addresses and Network Solutions to identify domain name registrants.

CUs also should prepare notifications that are ready to send to members in the event of an attack, he said.

After the holiday phishing attacks, HVFCU called in the law, including the FBI, New York police, CUNA and the NCUA. Officials need documentation, he added. "Save the e-mail headers and other information from an attack in a Microsoft Word document. Things are coming at you pretty fast, and a lot of the evidence is transient."

In particular, ISPs agreed to provide HVFCU with the directory of files from the fraudulent websites, said Brozycki.

"Having the directories was really cool, because we got to see the exact code they were running to generate the e-mails and send them out," he explained. "We forwarded the files to law enforcement and they've subpoenaed those e-mail accounts."

HVFCU was attacked when it was most vulnerable, Brozycki said. "The phishers picked the holidays, when our IT people were away on vacation, to hit."

Within 45 minutes of one successful member phish, hackers used the data to make credit and debit cards and withdraw cash daily at ATMs in Turkey, said Brozycki.

In response, "we basically shut down Turkey," by blocking merchant- and pin-based transactions and lowering daily withdrawal limits in Turkey, he explained.

CUJ Resources

For info on this story:

* Hudson Valley FCU at

* American Registry for Internet Numbers at

* Network Solutions at

For reprint and licensing requests for this article, click here.