Received a Thumb Drive in the Mail? Don’t Plug It In
Just when you thought that cybercriminals had reached a peak with their crafty attacks, a recent hacking incident proves that assumption wrong. Last month, a LinkedIn user posted photos of a package a family member received in the mail. Designed to look just like a Microsoft Office Professional Plus bundle, the package included a user manual and a USB drive with the Office logo printed on it.
Assuming it was a software upgrade, the unsuspecting user plugged the USB drive into their computer—which was immediately infected with ransomware that encrypted data and demanded payment for its release. Because of the Microsoft packaging and familiar branding, security experts agreed that this was one of the most deceptive USB scams in recent memory.
Surprisingly, such hardware-driven hacks have always been a problem. In 2020, Sophos, a British tech company, reported that 7% of all ransomware attacks suffered by its clients came via USB drives. Some were similar to the Microsoft-spoofing hack described above, arriving in fake FedEx packaging or a simulation of other high-quality branded designs.
In July 2020, Ledger, a leading cryptocurrency wallet vendor, had its customer list compromised. A year later, hackers mailed out sophisticated, Ledger-branded packaging to many of those customers telling them that they needed to upgrade their device protection by installing a security update on (you guessed it) an illicit fake USB drive. Once plugged into a machine, that malicious device would steal all the cryptocurrency in a user’s virtual wallet.
White-hat hackers—ethical groups who use simulated cyberattacks to identify security vulnerabilities and train users about cyber awareness—also use unidentified thumb drives in offices to test employee knowledge of their inherent risks. Sometimes these USB keys sit around for months before users find them, plug them in, and, their curiosity piqued, open a booby-trapped document titled “Employee Bonuses” or run a malicious executable file titled “ReadMe.exe”.
Do These Scams Work?
According to KnowBe4’s 2022 Phishing Benchmarking Report, 30% of employees say they’ve accidentally clicked on otherwise obvious phishing links. Cybersecurity experts say that many more may fall for sophisticated, professional-looking scams like the recent Microsoft-spoofing USB one.
So far, solid numbers aren’t available for how many people have plugged in these malicious devices. But the scam has attracted lots of attention on message boards, leading many cybersecurity experts to believe it’s occurring frequently. Earlier this year, “bad USBs” claiming to contain Amazon gift cards started showing up in the mail, and back in 2020, many universities in the United States and Canada reported receiving USB drives purporting to contain important information about the COVID-19 pandemic.
How Can You Protect Your Data and Your Business?
The best cyber defenses are made up of three main components: policies, technical protections, and employee education. Here’s what CMIT Solutions recommends to satisfy each area:
1. Make sure your business explicitly tells employees not to pick up or plug in unknown devices. This seems obvious, but it bears repeating—and extra emphasis. Even relatively harmless thumb drives picked up at industry expos or conferences could pose a risk to desktops and laptops. Encourage employees to use company-approved cloud storage instead of physical storage devices like thumb drives for day-to-day data backup. And if unknown USB devices are found around the office or in computer bags, urge everyone in your office to report them and hand them over to internal staff or a trusted partner like CMIT Solutions.
2. Implement layers of protection around all systems. This starts with technical defenses that can prevent unapproved mobile media devices like USB drives from being plugged into or accessed by company resources. With the help of a trusted IT provider, you can also implement enhanced protections that disable auto-execute operations for external drives and sequester unfamiliar files so they can be scanned by antivirus software before opening. Depending on the industry in which your business operates, this may be extra important—if, say, your employees use camera media cards or AutoCAD tablets.
3. Provide cybersecurity awareness training for employees. Make sure employees understand the increasing sophistication and frequency of USB attacks, especially since they can’t rely on professional-looking packaging and branding for common apps like Microsoft Office. This kind of education is key to preventing human error—no matter how robust your policies or technical controls are, cyberattacks can always trick unsuspecting users. With so many employees working remotely, cybersecurity awareness can help prevent infections on non-business devices like personal laptops and smartphones, too.
4. Back up data regularly, remotely, and redundantly. If an illicit USB is installed or a ransomware infection does take over company data, the best failsafe is a reliable, off-site data backup. If these are executed each day and stored in multiple locations, an infected system or network can be wiped clean and then reconstructed using repeatable data recovery processes. But if data backups are only stored on an external hard drive plugged into an office’s main computer, a virus or ransomware infection delivered via one seemingly harmless USB drive can wipe away a business’ entire data backup, too.
Concerned about USB scams or ransomware infections? Unsure whether your policies, protections, and training are up to snuff? CMIT Solutions provides comprehensive data backup, network security, and cybersecurity awareness to thousands of businesses around North America. Our commitment to service is unparalleled in the IT industry, and we go the extra mile to defend your data and empower your employees to do their best work.
Contact us today to find out more.