Malicious USB letterbox attacks in Victoria

USB devices containing malicious content have been placed in personal mailboxes around Victoria. The contents included what appeared to be ‘fraudulent media streaming service offers’, among other material.

The devices contained no information identifying the sender. Victoria Police were alerted as these types of attacks are usually seen as a method for attacking businesses. However, they have rarely been used against unsuspecting members of the public.

“The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices,” said Victoria Police.

The consequences of accessing these USBs can be severe. Malware stored on the drives can take control of the user’s machine and perform a number of nefarious activities. This includes monitoring the user’s browsing patterns and stealing usernames and passwords, often leading to fraudulent transactions being charged to the individual’s credit card or even identity theft. Ransomware can also encrypt all files until a ransom payment has been made.

“This is a new angle to the well-known, old-school technique of scattering USB drives outside a company’s premises, with the aim of a curious employee introducing it onto the network,” said Gavin Millard, technical director at Tenable Network Security.

USB devices in particular are known to have inherent security vulnerabilities by design. These were identified in 2014, where a demonstration showed how any USB device could infect a user, even if it did not have any data copied. Dropping USB devices in public spaces in the hope that somebody will find them and plug them in is a common form of attack, with lift lobbies and car parks common locations for such activity.

An experiment was conducted in 2015 at The University of Illinois, where hundreds of USB sticks were dropped around its campus. The experiment concluded that the success rate of such an attack was estimated to be between 45% and 98%.

“We have already seen cases earlier this year in the form of emails claiming to be Telstra bills and invoices from utility companies,” said Tony Jarvis, chief strategist APAC at Check Point Software Technologies. “The perpetrators of these crimes play on our fears, our uncertainty or even our curiosity, and such tactics are often successful. If something looks too good to be true, as is the case of USB devices arriving in our letterboxes, it often is.”

The public is being urged not to trust anything being sent to them, whether physically or virtually, unless they know the sender. Legitimate companies such as telecommunications providers, utilities providers and banks will never ask for confidential details such as usernames and passwords. If there are any doubts, people are urged to check with a trusted advisor before proceeding.

Image credit: ©stock.adobe.com/au/Lasha Kilasonia