If you haven't guessed it by now, the two CDs were
actually packed full of malware, and the letter wasn't really from
the NCUA. Reportedly (according to the SANS Internet Storm
Center) the packages were sent from Microsolved as part of an
authorized security test.
Nonetheless, the NCUA has responded,
issuing a warning. The NCUA states, "A federally insured
credit union has reported receiving a bogus Letter to Credit Unions,
accompanied by two compact discs (CDs). The subject of the fraudulent
letter itself is a purported NCUA FRAUD Alert. The letter advises
credit unions to review training material (contained on the CDs).
DOING SO COULD RESULT IN A POSSIBLE SECURITY BREACH TO YOUR COMPUTER
SYSTEM, OR HAVE OTHER ADVERSE CONSEQUENCES."
which comes in the packages bears many hallmarks of a phishing
scheme including typos and grammatical errors. An excerpt
The NCUA has warned numerous times 1 about "phishing"
scams in which crooks send e-mails claiming to be from legitimate
financial institutions, companies or government agencies asking
consumers to "re-submit" or "verify" confidential
information such as bank accounts, Social Security Numbers,
passwords, and personal identification numbers...
Please read the included document, as it contains
important training and informational material regarding the risks of
While it appears the campaign may only be a test, it demonstrates
an attack route that has not been executed in some time, though much
talked about. Given the lack
of good reasoning that many users seem to have when it comes to
security, the attack may experience great success.