Email phishers tried to lure dozens of anti-money laundering agents at credit unions into giving them network access using a classic contaminated email attachment scheme, a new KrebsonSecurity report said.
The precisely targeted malware campaign, launched by unknown cyber scammers, served up emails that looked like messages from bank secrecy officers working at other credit unions, Krebs said. Under the Bank Secrecy Act (BSA), which originally dates to 1970, credit unions, banks and other financial organizations must hire at least two bank secrecy officers to watchdog for illicit activities such as money laundering, terrorist financing and other unlawful transactions.
On January 30, numbers of BSA officers at credit unions nationwide received emails that appeared to be from similar agents at other credit unions, Krebs reported. The emails, which contained grammatical errors and were sent from email addresses not tied to the credit unions (spam’s hallmarks), informed recipients that a funds transfer from one of the credit union’s customers might involve laundered money. A copy of the supposed transaction was attached to the email in a PDF file that directed the BSA officers to a malicious site. When scanned by Virustotal.com, the PDF passed as uncontaminated.
“We’ve got suspicions transfer from your client, and put it on hold,” read one of the emails, purportedly sent from Charlene Ball, a “BSA/AML officer” at a credit union, as Krebs posted. “According to section 314(b) of the USA Patriot Act, we have to report you about potential money laundering. Please review the attached documents with details of this case.”
The big question is how the hackers got the work emails of the BSA officers, which are not published to the public. Was it an inside job? Because it initially appeared that only BSA officers received the malicious emails, there is some question if the names and addresses possibly sprung from a leak at the National Credit Union Administration (NCUA), as Krebs reported.
So far, the NCUA is saying the email list didn’t come from them, claiming in a statement that their data showed the phishing campaign “extends beyond credit unions to other parts of the financial sector.” The federal agency, which guarantees deposits at federally insured credit unions, said that a “comprehensive review of its security logs and alerts” had not turned up “any indication that information was compromised.”
The U.S. Treasury Department also weighed in on the email scam. “ is aware of the phishing attempts and we’re examining the circumstances. There is no indication that any FinCEN systems were compromised.”
As always, when we know more, you’ll know more. Stay tuned.