News Insights: Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions

Noted security blogger Brian Krebs reported last week on a highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at the CUs.

News Insights:

Cybersecurity experts from Lucy Security and OneSpan commented/

According to Colin Bastable, CEO of security awareness training company Lucy Security:

“This phishing campaign is a classic, multi-stage “Golden Keyholder” attack. A Golden Keyholder is a highly trusted employee or associate, with access to and influence over core systems, people and information. In this case, it appears that a spearphishing attack was launched on a Golden Keyholder in a national regulatory body. This attack has yielded a treasure trove of Golden Keyholders throughout the US financial industry – not just credit unions.

By obtaining the names, the employer identities and the email addresses of the nation’s Bank Secrecy Act (BSA) staff, the attackers are leveraging the special roles and credibility of these individuals to drop malicious code into those organizations’ IT infrastructure. BSA staff have a high level of trust with each other, as well as being authority figures with inside their Financial Institutions. This attack is designed to maximize the impact of the PDF-borne payload.

The initial attack has exposed a weakness of centrally-directed, government-mandated regulation. By mandating that these identities are stored centrally, the USA Patriot Act has made them vulnerable, thus enabling this attack.

Unfortunately, PDFs are wrongly considered to be trustworthy, “inert” attachments. So an email from a trusted peer at another financial institution, containing a PDF attachment, has a high probability of being read, and the PDF opened.

The attackers now know the identities of the nation’s BSA staff, and we can assume that further spoof email attacks will be launched, harnessing the roles and credibility of these people.”


Will LaSala, director security solutions, security evangelist at OneSpan, which provides security solutions to more than half of the world’s top 100 banks, as well as CUs and other financial institutions, said:

“Spear phishing attacks are becoming more and more common as the wealth of personal information leaked from the massive amount of new data leaks in 2018.  It is important that users stay vigilant and look for the common hallmarks of an attack.

As it’s been reported, it appears this attack contained numerous grammatically and spelling errors throughout the campaign, these should immediately tip off users to stop interacting with the email and to contact their security team or to delete the email immediately.  Technologies such as risk analytics play a big part in monitoring for fraud that occurs as a result of successful attacks.

Being able to identify attack patterns across multiple solutions in real-time with machine learning and artificial intelligences will help credit unions and other financial institutions protect their users and themselves from these successful spear phishing attacks.”


Photo Credit: verchmarco Flickr via Compfight cc