A federal agency warned on Tuesday that cybercriminals are going low tech.

The National Credit Union Administration told financial institutions to be on the lookout for a fake alert, supposedly send by the agency, that comes in the regular mail accompanied by two CDs carrying malicious programs. The fraudulent letter requests credit unions to review the "training materials" on the CDs, the NCUA stated in its online alert.

"Doing so could result in a possible security breach to your computer system or have other adverse consequences," the agency stated.

However, the attack that inspired the warning appears to have been part of an authorized pentest against an NCUA member institution, according to the SANS Institute's Internet Storm Center. Security assessment firm MicroSolved posted a statement on their site on Friday, confirming that they had been the firm conducting the penetration test.

"This was a controlled exercise in which the process worked," the company said in a blog post on Friday. "The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement."

The security of financial institutions have become a major issue over the past few years, as online thieves have had greater success breaching their systems. Last week, a federal grand jury charged three men with stealing more than 130 million credit- and debit-card accounts from retailers. In 2006, two online brokerages acknowledged losses of at least $22 million in a single financial quarter due to hackers.

Most attacks have happened online, but offline attacks have also become a problem. In 2006, a security consultancy showed that bank employees are all too willing to put USB memory sticks from an unknown source into a sensitive computer at work. Last year, security experts warned that a number of devices — such as digital picture frames — had become vectors for compromising consumer computers.

Financial institutions that receive copies of the CDs in the mail should notify the NCUA.