Malicious hackers are targeting CEOs of U.S. credit unions with phishing e-mails that try to take advantage of a recently patched Internet Explorer hole to compromise systems used by the credit unions, according to the Credit Union Information Security Professionals Association, a group of IT professionals who work at credit unions.
The attacks use e-mail messages sent to CEOs and other executives at credit unions across the United States. The messages contain a link to a Web page that, when visited, attempts to download a Trojan horse program onto the executives machines. The attack is just the latest example of small-scale scams known as “spear phishing” attacks that target specific employees in an organization, said officials at Cyveillance Inc., in Arlington, Va.
Beginning late last month, executives at the credit unions began receiving identical e-mail messages with the subject “Credit Union.” The messages provide the URL of a Web page that appears to be a credit union “affiliated” with the recipients. The message asks the recipient to help confirm that the credit union is a federally recognized institution, according to a copy of the message posted by CUISPA on its Web site.
Hudson Valley Federal Credit Union, in Poughkeepsie, N.Y., received 12 e-mails, all targeted at directors and senior administrators, said John Brozycki, IT network manager. Several Hudson Valley employees clicked on the URL in the message, though anti-virus software spotted the attempted malicious-code download, Brozycki said.