Hand-delivered hacking: malicious USBs left in mailboxes

Press/Media: Expert comment

Release date: 22/9/2016


Expert comment to Associated Press regarding malware spreading over USB sticks

Media contributions

TitleHand-delivered hacking: malicious USBs left in mailboxes
Degree of recognitionInternational
Media name/outletAssociated Press
Media typeWeb
Country/TerritoryUnited Kingdom
DescriptionMemory sticks, also called thumb drives or USBs, are sometimes used to spread malicious software from computer to computer. This USB was branded, but Ascoet said the device appeared used and that he doubted there was any connection between the brand and the mysterious delivery.

Ascoet, who also works as a security researcher, eventually threw the device out — although not before photographing it and posting the picture to Twitter .

“Never EVER plug in such present,” he said by way of caption.

Stories like Ascoet’s are anecdotal, but as web users get wise to rogue links and booby-trapped attachments, there are signs that cybercriminals are experimenting with hand-delivery of malware to people’s homes.

On Wednesday, Australian police drew international attention when they announced that “extremely harmful” memory sticks had been left in mailboxes across the suburban town of Pakenham, about 60 kilometers (37 miles) southeast of Melbourne. Pakenham Police Sgt. Guy Matheson said in a telephone interview Thursday that the unmarked thumb drives started showing up several days ago.

Disguised as offers for Netflix or a similar service, Matheson said rogue programs lurking on the drives instead held victims’ computers hostage, demanding a hefty payment in the electronic currency Bitcoin as ransom.

Matheson said two or three people had fallen for the ruse.

The technique of dropping a malicious USB somewhere and hoping someone will pick it up and plug it in has long been favored by spies to hack into hard-to-reach computers, said University of Manchester doctoral student Nikola Milosevic, who has studied the history of malware. The New York Times reported that the infrastructure-wrecking Stuxnet worm spread to Iran’s nuclear facilities using a thumb drive placed in the hands of an unwitting employee, for example. And despite the risks inherent in walking up to someone’s house and dropping malicious software through their mail slot, leveraging people’s inherent curiosity can mean a bigger potential payoff.

Producer/Author RAPHAEL SATTER
PersonsNikola Milosevic
TitleHand-delivered hacking: malicious USBs left in mailboxes
Degree of recognitionNational
Media name/outletDaily Mail
Country/TerritoryUnited Kingdom
PersonsNikola Milosevic