The unknown danger of USB sticks in letterboxes
Have you ever found a USB stick in a random location or received one in the letterbox? Just stop for a few seconds before plugging it into your computer and remember that curiosity killed the cat and your computer doesn’t have to suffer the same fate.
Recent cases of receiving random USB sticks in letterboxes in Australia draw our attention. The Australian police are warning the citizens that cyber-criminals are sending unmarked USB drives to residential letterboxes. Suspicions are that the USB devices may contain malware or ransomware that could destroy the computer and so far what has been confirmed is the fact that victims have experienced fraudulent media streaming, according to Victoria Police. There are no further details about the extent of this and if any private individual data has been disclosed. Usually the purpose of this kind of attacks is to get confidential data or financial gain, but in this case, it is not clear how it culminates. The question is, is this an isolated case? When will it happen in Europe or the USA? Or is it happening already?
The USB Killer 2.0 is another recent discovery on the USB threat landscape. The USB Killer 2.0 has recently gone on sale, designed to cause terminal damage to computers. Once the USB drive is plugged in an unprotected computer, it makes the computer unusable, causing terminal damage. The only computer that wasn’t affected so far by the USB Killer 2.0 is the MacBook from Apple, which isolates the data on its USB ports.
The issue goes further than this with studies showing that half of the people plug in USB drives they find in a parking lot. Most of the people had an honest wish to find the owner and others wanted to keep them to themselves, according to the study.
These cases should be eye-openers to users not to plug in any randomly found USB device into their personal or work computer to avoid data security incidents, despite their curiosity or goodwill. In order to address these risks, businesses should rely on IT Security experts to decrease the possibilities of data loss and data threat and should educate their employees to be more aware of data threats and incidents that could cause huge damage to the company.
The USB threat is still present and it seems that it remains a simple and effective way to lure people into voluntarily inserting potentially harmful devices. Organizations that haven’t done this yet, should consider implementing Device Control solutions to block the access to unauthorized devices and to have a clear view on what devices are being connected, who connected them, when and if they copied any confidential information. Additionally, they should create programs and frameworks to increase awareness among employees with respect to social engineering and not related solely to USB devices. Social engineering extends to e-mails, calls, and other manipulation techniques which can easily trick users into sending confidential data, clicking on malicious links, etc.
Until the next time, stay safe and in case you find or receive a USB device from an unknown source, better hand it out to your IT department.