Imagine that you find a USB drive somewhere on campus, or perhaps receive one for free in the mail. What do you do? Or more importantly, what shouldn’t you do?
While it may be tempting to plug that drive into your computer either to find information that will help you return it to its owner or to use it for yourself, think twice!
If you aren’t certain where a USB drive came from, don’t use it. Don’t plug it in and don’t pass it on.
Criminals drop USB drives infected with ransomware where they will be found and used by the unwary. They’ve also been known to send infected drives through the mail. Such attacks are known as “USB drop attacks,” or sometimes “USB drive-by attacks.”
There are 3 main types of USB drop attacks:
- Malicious code — The user clicks on one of the files on the drive, triggering malicious code that automatically activates upon viewing and can download further malware from the Internet.
- Social engineering — The user clicks on one of the files on the drive and is taken to a phishing site which attempts to trick them into entering their login credentials.
- HID (Human Interface Device) spoofing — The USB drive contains software that tricks the computer into thinking a keyboard is attached. The drive then injects keystrokes to command the computer to install malware, such as BlackMatter ransomware, or even give a criminal remote access to the victim’s computer.
The FBI warned of HID spoofing attacks being carried out via the USPS and UPS earlier this year, as reported by Brina Blum in her article on Bleeping Computer. Blum reports that the attackers were the FIN7 cybercriminal group.
FIN7 “attackers mailed packages containing ‘BadUSB’ or ‘Bad Beetle USB’ devices with the LilyGO logo, commonly available for sale on the Internet. They have used the United States Postal Service (USPS) and United Parcel Service (UPS) to mail the malicious packages to businesses in the transportation and insurance industries since August 2021 and defense firms starting with November 2021.”
Such packages may also contain letters about COVID-19 guidelines, counterfeit gift cards and forged thank you notes, depending on whom the attackers impersonate.
How can you protect yourself? Easy! Never plug a drive from an unknown source into your computer or any device on the campus network, including those in computer labs.
Sources
- https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/
- https://www.redteamsecure.com/blog/usb-drop-attacks-the-danger-of-lost-and-found-thumb-drives
- https://www.cisa.gov/uscert/ncas/alerts/aa21-291a