I am not sure about you, but [sarcasm on] my ABSOLUTE FAVORITE THING is opening my mailbox to find unsolicited mail. You know, junk mail [sarcasm off].
Raise your hand if you are with me.
OK, all kidding aside, no one likes to find unwanted things in their virtual or physical mailbox. Even so, marketing wonks will show that direct mail — even untargeted direct mail — will convert some people to paying customers.
So why are we talking marketing on a security blog?
Glad you asked. You see, police in Melbourne, Australia recently began warning citizens not to plug USB sticks that show up in mailboxes into their computers.
“The USB drives are believed to be extremely harmful, and members of the public are urged to avoid plugging them into their computers or other devices,” the police warned.
Police warn of malware-laden USB sticks dropped in letterboxes https://t.co/0klHtOxmBM
— The Register (@TheRegister) September 21, 2016
I guess the criminals thought, hey, it worked for AOL, when planning out this strategy to get people to install malware on their machines without having to resort to traditional cybercrime methods.
The tactic may seem quite old-fashioned, but it is actually not uncommon for businesses to be infected with targeted malware via a malicious USB dropped by an attacker in a parking lot. Earlier this year, we reported on a similar experiment researcher Elie Bursztein conducted to examine the results of dropping USB sticks around a college campus. A surprising 48% of those dropped were inserted into a computer.
By playing a numbers game, the criminals could have a good success rate. We hope the warning from the police came in time.
You receive a #USB in the mail. Do you insert it into YOUR computer?
— Kaspersky Lab (@kaspersky) September 22, 2016
Although this story happens to center on a city in Australia, it still highlights a piece of personal security that needs reinforcing now and then: Never plug unknown devices into your computer.
Sure, it may be easy to stereotype the people who would plug in these devices: uneducated, elderly, or non-savvy. That’s simply not the case. Bursztein’s test shows even digital natives on college campuses will give in to temptation and plug in a seemingly free device.
Autorun settings may take USB-borne malware to another level, too. If a computer is set up to run programs on USB drives automatically, plugging one in can start a chain reaction. If the payload is ransomware, for example, it will automatically lock files and leave the user looking for a ransomware decryptor or paying the crooks.
Other types of malware log keystrokes, steal sensitive information, or just bombard them with adware. Then there are the system killers.
Aside from the aforementioned bad things, people who plug found devices into their computers could also be setting themselves back a pretty penny by killing their devices.
It may sound quite the piece of science fiction, but it’s true: A USB device can fry a computer through the port. This month saw reports that USB Killer 2.0 was out for physical destruction. In principle, the device draws power into the device through the USB port and then shoots it back into the computer, causing the circuitry to fail. Computer pricing varies by model and power, but it’s safe to say no one really wants to have to buy a new one immediately.
But I have AV and will scan the device first…
Sure, antivirus software provides critical defense against malware. But we can’t let you go without sharing another problem with surprise USB drives: Malware may not be the only danger lurking on that piece of removable media.
As the old saying goes, possession is nine-tenths of the law. In the case of the found USB, this can have grave implications for the finder. Removable media could hold illegally obtained documents, illicit pictures, bank account information, and more. And though the finder may simply see things that, well, they cannot unsee, simply possessing some kinds of files could make them an accessory to a crime.
So: A quick show of digital hands, here. Who likes opening junk mail? Who thrills to the mystery of found media?
The real question should really be: Is it worth it?
If you have friends, family or coworkers who would insert the USB, please share this post with them. After all, they will probably be reaching out to you to help fix it.