Earlier this week, the Victorian Police issued an alert about malware-laden USB thumb drives being found in residents' mailboxes. The idea of distributing malware through USB sticks isn't new and yet research has found that many people would plug in a USB drive that they find in a public place. This kind of attack is known to be used by attackers to gain access into corporate networks by luring careless employees into plugging in booby-trapped USB sticks in their work computers. More education is needed to warn end-users about the dangers of USB sticks found in public spaces.
People are inherently curious, which can lead us to do stupid things.
A recent study by researchers from the University of Illinois, the University of Michigan and Google found that nearly half of all end-users who pick up a USB drive off the ground would plug it into their computers. Around 300 USB sticks were scattered across a large university campus for the experient:
Here's what the researchers had to say:
"We find that the attack is effective with an estimated success rate of 45-98% and expeditious with the the first drive connected in less than six minutes. "… [N]early half are overcome with curiosity and open intriguing files -- such as vacation photos -- before trying to find the drive’s owner "
The unwitting participants of the study were university staff and students, all of which are familiar with computers and are moderately tech-savvy.
USBs are just so prevalent these days that many people inherently trust them. They're easy to use and are frequently used to share files at home and at work. Consumers are not often educated about potential dangers of using a USB stick that they are not familiar with. That's because this type of attack is more commonly used on businesses by hackers who want to gain access to corporate networks, often to steal confidential data.
"The tactic may seem quite old-fashioned, but it is actually not uncommon for businesses to be infected with targeted malware via a malicious USB dropped by an attacker in a parking lot," Kasperky Lab said in a blog post.
For consumers, the the consequences of accessing the USB devices can be severe. According to Check Point's chief strategist:
"Malware stored on the devices can take control of the user’s machine and perform a number of nefarious activities. Such activities include monitoring the user’s browsing patterns, stealing usernames and passwords, ultimately leading to consequences including fraudulent transactions being charged to the individual’s credit card or even identity theft. Other possible consequences include being hit with ransomware which can encrypt all files until a ransom payment has been made."
Kaspersky Lab addded:
"Autorun settings may take USB-borne malware to another level, too. If a computer is set up to run programs on USB drives automatically, plugging one in can start a chain reaction. If the payload is ransomware, for example, it will automatically lock files and leave the user looking for a ransomware decryptor or paying the crooks. Other types of malware log keystrokes, steal sensitive information, or just bombard them with adware. Then there are the system killers. "Aside from the aforementioned bad things, people who plug found devices into their computers could also be setting themselves back a pretty penny by killing their devices."
We've heard plenty of warnings about not clicking on links in suspicious emails but we don't talk enough about USB device security.
Many organisations also fail to adequately educate their staff about foreign USB devices. A decade ago, a group of pen testers dropped 20 USB sticks in a parking lot of a bank and fifteen of them were plugged in by the bank's employees. This type of attack is still being used today; organisations can deploy a host of IT security products but that could all go down the drain if an employee unknowingly opens the door to let attackers in. That's why social engineering attacks are becoming increasingly prevalent.
The best thing we can do is to raise awareness on the dangers of USB sticks that are found in public spaces, with our colleagues as well as family and friends.
"If you find yourself the unexpected recipient of a mystery USB stick, break it so that nobody else can plug it in and then put it into the bin," Sophos said in a blog post. "If you use USB sticks yourself then make sure you encrypt your data so you aren’t the victim of somebody else’s curiosity if you lose it."