UPDATE: Turns out a warning from the National Credit Union Association (NCUA) about an old-school spear-phishing attack that uses the U.S. mail and a CD-ROM to dupe the institutions may have been a false alarm.

The SANS Internet Storm Center is now reporting it was informed that the "attack" was actually part of a penetration test.

The mailing included a phony fraud alert letter (PDF) purported to be from the NCUA that warns federally insured credit unions of phishing and "vishing" attack risks, and includes a pair of CD-ROM disks.

The phony letter urges credit unions to review training material on the CD-ROMs -- but the disks instead carry a malicious payload aimed at attacking the credit union's computers, the real NCUA said this week in response to reports of the attack.

"Should you receive this package or a similar package DO NOT run the CDs," the NCUA warned in an advisory about the scam. "The letter advises credit unions to review training material (contained on the CDs). DOING SO COULD RESULT IN A POSSIBLE SECURITY BREACH TO YOUR COMPUTER SYSTEM, OR HAVE OTHER ADVERSE CONSEQUENCES."

The NCUA, which charters and supervises federal credit unions, said in its alert that any credit union that receives this mailing should contact its NCUA Regional Office or the NCUA Fraud Hotline at 1-800-827-9650.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.