Hi Guys

The FBI has issued a warning about a cybercrime group sending out free USB thumb drives in the post, hoping that recipients will plug them into their computers and install Malware or ransomware on their devices and networks. This is a pretty old attack vector, and we have seen it used hundreds of times over the past few years.

Many years ago, in a previous life as part of a security awareness program, we sent 20 poisoned key fobs to IT security employees of major defense contractors worldwide (I cannot say what country) as a test to see how many security conscience people would open them. We were stunned that over 80% of them were opened and inserted into computers. Now, we did not load any severe malware onto the keyfob, and it simply displayed a message saying you need to report to security training straight away. It could have been much worse if this was not a test as most of the computers tested had significant access to very serious things. If the so-called security experts of the world can be tricked, then so can you.

How does the attack work?

  • You receive a free USB key fob in the post from your local phone company as a gift for being such a great customer, or it could be a gift from Amazon. The packaging will look very professional, and most people will not be concerned and plug it in.
  • When you plug the key fob into your computer (Windows or Mac), a piece of Malware called BadUSB will launch automatically and within seconds will take control of your device as well as any other devices connected on the same network.
  • Once in control of your device, the remote attacker can do anything they want. They can remotely connect to your devices to extract files and install additional Malware, which will give them unlimited access to your device. They can even remotely install ransomware which will lock all of your data until you pay a ransom.
  • Most of the time, you will not know what is happening as BadUSB is invisible. You will still be able to use your ‘free’ USB key.

 How do you protect yourself?

  • Don’t insert USB drives from unknown sources, even if they’re addressed to you in the post, even if they look like they are from actual companies.
  • If you are not sure I suggest you call the company who sent it, to ask them if they did send it. If they confirm that it was them, then you are ok.
  • If you are still unsure, contact our support team with a make and model of the key fob and any other documents and packaging that it came with. We will do an examination and let you know if it is safe.

Please let me know if you need any help with this.

All the best,

Max Roberts,
Incognito Privacy Care Team