ALEXANDRIA, Va.—Following a report that suggested NCUA might have been the source for private data hackers obtained on BSA officers at CUs targeted by a phishing attack, the agency says its review indicates it is not the source of the compromise.
As CUToday.info reported, a malware-laced phishing campaign that targets specific employees responsible for anti-money laundering has been hitting some credit unions, according to a report from Krebs on Security.
Brian Krebs, who runs the popular blog on cybersecurity, noted U.S. credit unions are required to register these BSA officers with the NCUA, and that on the morning of Jan. 30, BSA officers at credit unions across the nation began “receiving emails spoofed to make it look like they were sent by BSA officers at other credit unions. The missives addressed each contact by name, claimed that a suspicious transfer from one of the recipient credit union’s customers was put on hold for suspected money laundering, and encouraged recipients to open an attached PDF to review the suspect transaction,” Krebs reported.
Krebs said the phishing emails contained grammatical errors and were sent from email addresses not tied to the purported sending credit union.
“It is not clear if any of the BSA officers who received the messages actually clicked on the attachment, although one credit union source reported speaking with a colleague who feared a BSA contact at their institution may have fallen for the ruse,” Krebs stated.
Krebs said at least one source with an association said it’s hard to imagine the source for the list of BSA officers was any other entity than NCUA.
However Krebs, in a recent update, shared that BSA officers from more than just credit unions have had their personal information compromised.
“Multiple sources have now confirmed this spam campaign also was sent to BSA contacts at financial institutions other than credit unions, suggesting perhaps another, more inclusive, entity that deals with financial institutions may have leaked the BSA contact data,” stated Krebs on his website.
Upon learning of the spear phishing campaign, NCUA said it conducted a “comprehensive review” of its security logs and alerts.
“This review is completed and it did not find any indication that information was compromised. The most recent information available indicates the campaign extends beyond credit unions to other parts of the financial sector,” stated the agency in a release.
NCUA said it makes protection of sensitive data a top priority, and that it uses a defense-in-depth approach to monitoring and shielding its systems and information.
NCUA added that it is encouraging all credit union staff to be wary of suspicious emails, and credit unions may report suspicious activity to the agency. Additional information about phishing and other information security concerns is available on the agency’s Cybersecurity Resources webpage.