Credit Union Scams: How Cybercriminals Are Targeting Small Credit Unions in the US

In recent months, Bolster’s research team has identified a surge in phishing attacks targeting credit unions and small lending partners
across the United States. This wave of credit union scams is affecting nearly every credit union and a few major banks, creating widespread risk for financial institutions and their members.

Bolster analyzed prominent credit unions (listed out below) and has identified a sharp increase in phishing campaigns targeting these
prominent organizations, with over 4,000 domains identified in June 2024 alone.

We will dive deeper into the data behind the phishing attacks, and breakdown these attacks targeting credit unions throughout this blog.

The Alarming Rise in Phishing Sites

Bolster Research identified an increase in phishing attacks targeting many prominent institutions, and while this list doesn’t include all of the impacted organizations, it highlights some of the big names being targeted by scammers.

List of Some Prominent Targeted Institutions:

• Suncoast Credit Union
• E*TRADE by Morgan Stanley
• BMO Bank
• Santander Bank
• Alliant Credit Union
• America First Credit Union
• GreenState Credit Union
• Lake Michigan Credit Union
• Mountain America Credit Union
• Frandsen Bank & Trust

The Bolster Research team uncovered a sharp increase in URLs targeting these prominent organizations, with an average 500 phishing domains in the months of May, July, and August, and over 4,000 URLs in June alone. The activity peaked around mid-June, specifically between June 17th-18th.

The Tactics Behind the Attack

The attackers Bolster has identified are using a clever strategy, involving a single IP address linked to many websites. Initially, these
websites show a basic default page, which looks harmless to most people. However, the real danger is hidden beneath this innocent
surface.

By adding ‘index.html’ or ‘page.html’ to the URL of these websites, the actual phishing pages are revealed. These pages are designed to
look like the login screens and interfaces of real credit unions and banks, tricking unsuspecting users into entering their personal
information, account details, and passwords.

Investigating Crafty Emails and Deceptive Pages

Adding another layer to their deceit, the attackers use their own crafted emails, which can be identified within the default page or DOM of the phishing sites.

These emails are designed to look like legitimate communications from the targeted credit unions or banks. When users enter their data on these phishing pages, the information is automatically sent to the attacker’s crafted email addresses.

The phishing pages are very advanced and often look exactly like the real ones. They copy the actual websites’ branding, layout, and
functions, making it very hard for even careful users to spot the trick. Once the user enters their information on these fake pages, it is then in the hands of the attackers. The attackers can then use this information for harmful purposes, such as identity theft and unauthorized access to financial accounts.

Our research team has gathered a list of these malicious email addresses involved in the scam, aiding in identifying and mitigating these threats.

Emails Identified by Our Research Team: A Comprehensive List

In our ongoing efforts to protect against phishing attacks and enhance cybersecurity, our research team has been diligently identifying
suspicious emails linked to various phishing campaigns. Below is a comprehensive list of emails that we have uncovered through our
investigations.

These emails have been flagged for their association with malicious activities targeting individuals and organizations alike:

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]

The Widespread Impact

This phishing campaign has not discriminated against its targets. Almost all credit unions and a few prominent banks have been affected across the country. The scale and coordination of these attacks suggest a well-organized operation to exploit the trust and financial resources of both institutions and their members.

While the list of prominent credit unions from earlier in the piece highlights some of the key institutions targeted by the attacker, it is by no means exhaustive. Numerous other banks and credit unions have also been affected. Our research continues to uncover additional targets, demonstrating the broad scope of the phishing campaign.

In a recent instance, our research discovered over 48 phishing links crafted for a single bank, Frandsen Bank & Trust, in just one hour.

DNSSEC Used to Block Phishing Domain Exploration

Our research team discovered that after identifying many phishing domains created by this attacker, they started using DNSSEC to prevent further exploration of the malicious IP address. This IP hosts multiple phishing domains targeting various credit unions and banks.

What is DNSSEC

DNSSEC (Domain Name System Security Extensions) secures DNS information by adding cryptographic signatures to DNS records. This ensures the authenticity and integrity of DNS responses, preventing attacks like DNS spoofing and cache poisoning. By verifying DNS data, DNSSEC helps protect users from cyber threats such as phishing.

The attacker is using this protocol to block DNS queries from our research tools. However, our team was still able to identify numerous domains and block their malicious attempts.

Protecting Yourself and Your Institution

Given the sophisticated nature of these phishing attacks, adopting robust security measures to protect yourself and your financial institution is crucial. Here are some steps you can take:

1. Educate Members and Employees: Awareness is the first line of defense. Conduct regular training sessions to educate members and employees about the signs of phishing attacks and the importance of cautious online behavior.

2. Implement Multi-Factor Authentication (MFA): Encourage using MFA wherever possible. This adds an extra layer of security, making it harder for attackers to gain access even if they obtain login credentials.

3. Monitor and Report Suspicious Activity: Monitor account activities and report any suspicious behavior to the relevant authorities immediately. Early detection can prevent significant damage.

4. Verify URLs: Always check the URL of the website you are visiting. Be wary of any slight discrepancies or unusual additions like
“index.html” or “page.html”.

5. Strengthen IT Infrastructure: Ensure your IT infrastructure has the latest security protocols and defenses against phishing and other cyber threats.

6. Communicate with Members: Regularly update your members about potential threats and provide them with the tools and knowledge they need to protect themselves.

7. Identify and Block Malicious Emails: Utilize email filtering systems to detect and block emails from known malicious addresses. Share the list of identified attackers’ emails with your IT security team to enhance email security measures.

Conclusion

The recent phishing attacks targeting U.S. credit unions and banks underscore the importance of vigilance and proactive security measures. By staying informed and adopting comprehensive security practices, individuals and institutions can mitigate the risks and safeguard their financial well-being.

Remember, in the digital age, staying one step ahead of cybercriminals is a continuous effort that requires awareness, education, and the right tools.

Appendix