Unexpectedly received a USB stick in the post? Whatever you do … DON’T PLUG IT IN!!
Police in the Australian state of Victoria are warning the public about cybercriminals’ latest tactic: randomly dropping unmarked USB sticks containing malware through letterboxes.
The criminals are of course hoping that the unsuspecting recipients will plug the freebie USB drives into their computers. The state police’s online news warns:
Upon inserting the USB drives into their computers victims have experienced fraudulent media streaming service offers, as well as other serious issues.
Police are urging anyone with information about the people behind the scam to contact Crime Stoppers.
Picking up and plugging in
The criminals behind the USB drop are tapping into our curious, well documented and inexplicable urge to plug in any old USB stick we find lying around.
Back in April, we reported about how vulnerable we are to malware shared through these abundant and inconspicuous devices. Surprisingly:
…almost half of dropped USB sticks will get plugged in.
A study published by a group of researchers from the University of Illinois, the University of Michigan and Google confirmed that many people would not only pick up and plug in a USB stick of unknown origin, but would also open files, click on unfamiliar links and send messages to email addresses they found on them.
USB sticks have long been a means for distributing malware. Nearly five years ago we studied 50 lost USB sticks and found them riddled with viruses; 66% of them were infected with malware.
Not just the public
But it’s not just the public that is vulnerable to these types of scams. In 2011 the Western Australian Auditor General carried out a security exercise in which it left USB sticks in public places. The sticks had software on them that phoned home when used.
Eight of fifteen government agencies involved failed the test, with agency staff connecting the USB sticks to their computers, allowing the devices to access their agency’s network.
If you find yourself the unexpected recipient of a mystery USB stick, break it so that nobody else can plug it in and then put it into the bin.
If you use USB sticks yourself then make sure you encrypt your data so you aren’t the victim of somebody else’s curiosity if you lose it.
Simon
It’s actually also put me off buying USB sticks from eBay for some time now.
PAUL
What if one disabled autoplay and then dumped the directory and ran a scan for malware?
Larry M
“USB sticks have long been a means for distributing malware. Nearly five years ago we studied 50 lost USB sticks and found them riddled with viruses; 66% of them were infected with malware.”
What was never reported was the number of viruses detected and disabled by Sophos AV. If antivirus disables all the malware, why not plug the device in, format it, and use it?
Anonymous
Dont just format it, do a mil spec overwrite of the data space and unused space; including the boot sector..
Victor
Because of BadUSB, anti-virus just scan the data section of the USB, not the firmware. in such case not even formatting would help you.
Leaving that part aside, if it was a newly wirtten malware made for you or your organization without a known signature. There shouldn’t be any anti-virus that can detect it. Your best shot would be a sand-boxing solution to attempt detection and if posible removal.
Steve
If I’m a bad guy with a nice juicy zero-day to put to use, I might think it’s worth spending some money on a whole bunch of USB sticks. Bigger investment than the usual spam distribution with a nice payoff due to far, far better odds of folks sticking that into their USB port.
Want to take that chance?