WASHINGTON–A malware-laced phishing campaign that targets specific employees responsible for anti-money laundering has been hitting some credit unions, and some suspect the list of those being targeted was obtained from non-public data from NCUA, according to a report from Krebs on Security.
Brian Krebs, who runs the popular blog on cybersecurity, noted U.S. credit unions are required to register these BSA officers with the NCUA, and that on the morning of Jan. 30, BSA officers at credit unions across the nation began “receiving emails spoofed to make it look like they were sent by BSA officers at other credit unions. The missives addressed each contact by name, claimed that a suspicious transfer from one of the recipient credit union’s customers was put on hold for suspected money laundering, and encouraged recipients to open an attached PDF to review the suspect transaction,” Krebs reported.
Krebs said the phishing emails contained grammatical errors and were sent from email addresses not tied to the purported sending credit union.
“It is not clear if any of the BSA officers who received the messages actually clicked on the attachment, although one credit union source reported speaking with a colleague who feared a BSA contact at their institution may have fallen for the ruse,” Krebs stated.
Krebs said at least one source with an association said it’s hard to imagine the source for the list of BSA officers was any other entity than NCUA.
One source at an association that works with multiple credit unions who spoke with KrebsOnSecurity on condition of anonymity said many credit unions are having trouble imagining another source for the recipient list other than the NCUA.
Krebs said one BSA officer at a credit union said their IT department had traced the source of the message they received back to Ukraine.
According to Krebs, a notice posted by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) said the bureau was aware of the phishing campaign and was urging financial institutions to disregard the missives.
The full report can be found here.