Update: We go an email and phone call from Brent Huston with Microsolved. This mailing was part of an authorized pen test. Nothing to worry about (right now), but the best practices to deal with such issues still apply.

-----

The National Credit Union Administration (NCUA) published an interesting advisory here:

http://www.ncua.gov/news/press_releases/2009/MR09-0825a.htm

Member credit unions evidently are reporting receiving letters which include two CDs. The letters claim to originate form the NCUA and advertises the CDs as training materials. However, it appears that the letter is a fake and the CDs include malware.

We have not heard about this scheme affecting any other targets, but please let us know if you see something like this. Malware delivery via USPS has certainly been suggested before.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter