A word to the wise: If a stranger ever offer you a random selection USB stick as a gift, the best not yes take it.
On Thursday, the FBI warned that the hacker group was using U.S. mail to send USB drives filled with malware to companies in the defense, transportation and security industries. Criminals hope employees will be gullible enough to drive them into their computers, creating an opportunity for ransomware attacks or the installation of other malware, Record reports.
The hacker group behind this misconduct – a group called FIN7 – has invested a lot to make their shipments look harmless. In some cases, the packages were tweaked as if they had been sent by the U.S. Department of Health and Human Services, with notes explaining that the discs contained important information about the guidelines for COVID-19. In other cases, they were delivered as if sent via Amazon, along with a “decorative gift box containing a fake thank you letter, a counterfeit gift card and USB,” according to an FBI warning.
This small scheme appears to have been running for at least a few months – as the FBI says it originally started receiving reports of such activities back in August last year.
The culprit, FIN7, is a highly sophisticated group of cybercriminals who are said to have stolen over a billion dollars through various financial hacking schemes. In the past, he has also been linked to prominent ransomware families – such as DarkSide and BlackMatter – and, last September, security researchers reported it FIN7 has made an effort to create a fake cybersecurity company to recruit IT talent for its criminal operations. Suffice it to say that they are innovative.
While it might seem ridiculous for anyone to plug a random USB stick into their computer, studies they have shown that this is exactly what many people do when given the opportunity. Hence the popularity “drop” trick., in which a malicious disk was left in the company’s parking lot in the hope that the weakest link in the company would pick it up and plug it into their laptop out of curiosity. In fact, if you believe once senior defense official, the catastrophic attack on the Pentagon in 2008 was launched in this way.
Hackers have also previously tried to use USBs as a vector for ransomware attacks. Last September, it was reported that gangs approached employees of certain companies and tried to bribe them to run ransomware on their company’s servers through sticks provided by hackers.
All of this is a workaround to say a few basic things: Don’t accept gifts from strangers, avoid bribes, and if you don’t know where that USB stick came from, you better leave it alone.