Word to the wise: If a stranger ever offers you a random USB stick as a gift, best not to take it.
On Thursday, the FBI warned that a hacker group has been using the US mail to send malware-laden USB drives to companies in the defense, transportation and insurance industries. The criminals’ hope is that employees will be gullible enough to stick them into their computers, thus creating the opportunity for ransomware attacks or the deployment of other malicious software, The Record reports.
The hacker group behind this bad behavior—a group called FIN7—has gone to great lengths to make their parcels appear innocuous. In some cases, packages were dressed up as if they were sent by the US Department of Health and Human Services, with notes explaining that the drives contained important information about COVID-19 guidelines. In other cases, they were delivered as if they had been sent via Amazon, along with a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB,” according to the FBI warning.
This little scheme appears to have been going on for at least several months—as the FBI says it originally began receiving reports about such activity as far back as last August.
The culprit, FIN7, is a notably sophisticated cybercriminal group that, throughout its career, is reported to have stolen over $1 billion via various financial hacking schemes. In the past, it has also been connected to prominent ransomware families—such as DarkSide and BlackMatter—and, last September, security researchers reported that FIN7 had gone to the trouble of creating a fake cybersecurity company in order to recruit IT talent for its criminal operations. Suffice it to say, they’re innovative.
While it might seem ridiculous that anyone would plug a random USB stick into their computer, studies have shown that, actually, that’s exactly what a whole lot of people do when confronted with the opportunity. Thus the popularity of the “drop” trick, in which a malicious drive is left in a company’s parking lot in the hopes that the weakest link at the firm will pick it up and, out of curiosity, plug it into their laptop. Actually, if you believe one high-ranking defense official, a disastrous, worm-fueled attack on the Pentagon in 2008 was launched just this way.
Hackers have also attempted to use USBs as a vector for ransomware attacks before. Last September, it was reported that gangs had been approaching employees of particular companies and attempting to bribe them into unleashing ransomware on their company’s servers via sticks secured by the hackers.
All of this is a roundabout way of saying a few basic things: Don’t accept gifts from strangers, avoid bribes, and, if you don’t know where that USB stick came from, better leave it alone.