Cybercriminals are always on the lookout for new ways to hack, infect, and hold our PCs and laptops hostage, as well as steal valuable information at the same time. Now, these cyber groups are turning to more traditional methods of targetting people: mailing them malware-riddled USB sticks to multiple recipients, hoping that they’ll just stick into their systems, without a single question.
The trend was reportedly discovered to be happening in the US, where these “weaponised” USB sticks were sent through the US Postal Service and United Parcel Service. One such USB stick supposedly had a message that impersonated the US Department of Health and Human Service, stating that the component itself contained a COVID-19 warning. As for the other malicious USB sticks, they were sent attached to Amazon gift cards, posing as an additional free gift.
As for the malware inside these USB drives, the program is known aptly as “BadUSB” and it is designed to exploit the USB standard’s versatility and allow attackers to reprogram the component to emulate a keyboard that create keystrokes on a computer, install malware just before a system’s OS boots, or to spoof a network card and redirect the flow of network traffic.
The good news is that, according to the FBI, BadUSB attacks aren’t as common as others. On a somewhat related note, this attack is similar to an attack conducted by a group known as FIN7; supposedly, the group had sent out several BadUSB drives to targets on a list. The group then said that it was from BestBuy and that it required the recipients to stick said thumb drives into their PC, in order to view products that could then be redeemed by the attached gift card.
At the time of writing, it doesn’t look like the trend has reached our shores. Having said that, we believe it goes without saying that, should you ever receive any sort of USB thumb drive in the mail, without any indication as to what it contains or whom it came from, you shouldn’t stick it into your PC.