The National Credit Union Administration (NCUA) published an interesting advisory here:
Member credit unions evidently are reporting receiving letters which include two CDs. The letters claim to originate form the NCUA and advertises the CDs as training materials. However, it appears that the letter is a fake and the CDs include malware.
We have not heard about this scheme affecting any other targets, but please let us know if you see something like this. Malware delivery via USPS has certainly been suggested before.
As it turns out, the CDs were part of an authorized pen-test......
Security assessment firm MicroSolved posted a statement on their site on Friday, confirming that they had been the firm conducting the penetration test.
"This was a controlled exercise in which the process worked," the company said in a blog post on Friday. "The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement."