Check Point Software and Tenable Network Security Comment on Victoria USB Device Issue


In a news release on its website, Victoria Police said Pakenham residents have in the past week lodged reports on finding such USB drives in their mail.

“Upon inserting the USB drives into their computers, victims have experienced fraudulent media streaming service offers, as well as other serious issues,” said state police.

“The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.”

Comment: Gavin Millard, Technical Director, Tenable Network Security

This is a new angle to the well known, old school technique of scattering USB drives outside a company’s premises, with the aim of a curious employee introducing it onto the network. It should go without saying that any drive or other USB peripheral discovered on the ground, or in a mailbox should never be inserted into a computer, otherwise the user runs the risk of getting all kinds of nasty code installed.

The approach of distributing malware laden drives was also allegedly attempted by the Russian delegation at the G20 in 2013 to spy on heads of state, which was fortunately thwarted by a suspicious Herman Von Rompuy.

Comment: Tony Jarvis, Chief Strategist APAC, Check Point Software Technologies
Victorian Police have recently been alerted that USB devices containing malicious content are being placed in citizens’ mailboxes. Those who were curious enough to plug them in and access the contents found what appeared to be “fraudulent media streaming service offers” among other material. The devices did not come with any note, labelling or information identifying the sender. Such types of attacks are commonly seen as a method for attacking businesses, though rarely seen used against unsuspecting members of the public.

The consequences of accessing the USB devices can be severe. Malware stored on the devices can take control of the user’s machine and perform a number of nefarious activities. Such activities include monitoring the user’s browsing patterns, stealing usernames and passwords, ultimately leading to consequences including fraudulent transactions being charged to the individual’s credit card or even identity theft. Other possible consequences include being hit with ransomware which can encrypt all files until a ransom payment has been made.

USB devices in particular are well known to have inherent security vulnerabilities by design. These were identified in 2014, where a demonstration showed how any USB device could be used to infect a user. The device does not need to have any data copied to it in order to successfully infect the host. Dropping USB devices in public spaces in the hope that somebody will find them and plug them in is a common form of attack. Lift lobbies and car parks are some of the more common locations where such activity has been observed. Such tactics are surprisingly effective. An experiment was conducted last year at The University of Illinois where USB sticks were hundreds of USB sticks were dropped around its campus. The experiment concluded that the success rate of such an attack was estimated to be between 45% and 98%.

The best advice for the public is simple: never trust anything being sent to you, whether physically or virtually, unless you know the sender. We have already seen cases earlier this year in the form of emails claiming to be Telstra bills and invoices from utility companies. The perpetrators of these crimes play on our fears, our uncertainty, or even our curiosity, and such tactics are often successful. If something looks too good to be true, as is the case of USB devices arriving in our letterboxes, it often is. Legitimate companies we do business with, such as telecommunications providers, utilities providers, and banks, will never ask you for confidential details such as usernames and passwords. Most importantly of all, if you ever have doubts, it is always best to check with a trusted advisor before proceeding.