Australian police is advising people to be on the lookout for unmarked, malware-laden USB sticks that someone is dropping into their mailboxes. On 21 September, the Victoria Police published a statement revealing that residents of the suburb of Pakenham in Victoria's capital Melbourne are discovering unmarked USB drives in their mailboxes. Here's a picture of the type of devices people are finding:
When inserted into a computer, the authorities warn, victims have received offers to subscribe to fraudulent media streaming services. They've also experienced other issues, though the statement does not elaborate on those incidents' details. The Victoria Police concludes its statement with a simple piece of advice:
"The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices."
Ah, but we all know people have a hard time following that recommendation. Back in August, we learned at Black Hat USA 2016 that Google researcher Elie Bursztein dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus to see if people would be tempted to pick up the drives. I don't think anyone could have predicted the results of Bursztein's study. Over the course of the experiment, nearly all of the devices (98 percent) were picked up, and for about half of them (45 percent), people not only plugged the devices into a computer but also accessed files saved onto the USBs. D'oh!
The possibilities for a USB-borne attack are endless. As computer security expert Graham Cluley explains, actors can prey upon people's curiosity with dropped USB sticks to infect their computers with malware, open a reverse shell on their machines, or even exploit a zero-day vulnerability. With all of those security threats in mind, the most important thing we can do is continue to focus on getting the word out to users everywhere. If you come across an unmarked USB stick, DON'T plug it into your computer. Additionally, please keep your software up-to-date so that hackers can't find another way to compromise your data.
