The attacks use e-mail messages that are being sent to CEOs and other executives at credit unions across the United States. The messages contain a link to a Web page that, when visited, attempts to download a Trojan horse program onto the executives machines.
The attack is just the latest example of small-scale scams known as "spear phishing" attacks that target specific employees in an organization, said Todd Bransford, vice president of marketing at Cyveillance Inc., an online risk management company in Arlington, Va.
Beginning on Monday, executives at the banks began receiving identical e-mail messages with the subject "Credit Union." The messages provide the URL of a Web page that appears to be a credit union "affiliated" with the recipients bank.
The message asks the recipient to help confirm that the credit union is a federally recognized institution, according to a copy of the message posted by CUISPA (Credit Union Information Security Professionals Association) on its Web site.
Executives who clicked on the link were taken to a Web page that attempted to download two pieces of malicious code on their machines. One was a Trojan horse program called "Bloodhound.Exploit.54" that uses a recently discovered hole in IE.
Many credit unions who reported the e-mail had anti-virus software that recognized the Trojan and blocked it when the user visited the attackers Web page, said Kelly Dowell, executive director of CUISPA.
However, it is possible that credit unions that have not updated their anti-virus definitions recently were infected without realizing it, he said. He added that CUISPA has not contacted the FBI because it is not aware of any monetary damage stemming from the attack.
"If you cant prove monetary damages, [the FBI] isnt interested in it," he said.
Phishing attacks are nothing new, even for small credit unions and local banks, which are increasingly targets of shadowy online criminal groups and scam artists.
Hudson Valley Credit Union in Poughkeepsie, N.Y., received 12 e-mails, all targeted at directors and senior administrators, said John Brozycki, IT network manager for the credit union.
The messages arrived slowly, over a period of about 45 minutes, to avoid setting off security products looking for spam and phishing attacks, he said.
The message, though poorly worded, was well-targeted to bank administrators, and Hudson Valley had a number of employees who clicked on the URL in the message, though anti-virus software spotted the attempted malicious code download, he said.
Nobody knows where the attackers got the e-mail addresses, though credit union staff members say there are many possible sources, including Web pages and credit union industry groups. However, the information was at least two years old, Brozycki said.
The attack is novel in shifting focus from banking customers to banking executives, Dowell said. James Brooks, senior product manager for anti-phishing at Cyveillance, pointed out that by targeting executives, attackers could be trying to get access to sensitive systems at the credit unions.
"If the attack was successful, we dont really know what could happen. Theyre inside a financial institution. If they got the CEO, they might have access to everything on the network," he said.
Exploiting machines within the bank that are used by executives could provide quick access to systems that control thousands of bank accounts, rather than just one or two accounts, Brooks said.
However, executives might not be as rich a target as hashers think. Changing banking regulations have reduced the permissions that executives have for systems within the banks in recent years, said Chad Lorenc of ENT Credit Union in Colorado Springs, Colo.
Efforts to get the Web site used in the attack taken offline were hampered by botched communications with Network Solutions Inc., which hosted the site. Network Solutions eventually took the site down after intervention by Cyveillance on Wednesday, Dowell said.
Spear phishing attacks have become more prevalent in recent months, as online criminal groups hone their tactics.
The true extent of the spear phishing attack on credit unions is still not known. Despite the fact that the attackers used a brand new exploit to try to install malicious code, awkward wording in the phishing e-mail message and the ability of anti-virus programs to identify the malicious code that was used probably prevented infections at many credit unions, experts agree.
Had the attackers used a more polished phishing e-mail and Web site, and an unknown ("zero day") exploit, the results could have been far worse, Brozycki said.