Dropped infected USB in the company parking lot as a way of getting malware onto the company network

Discuss

26 Responses to “Dropped infected USB in the company parking lot as a way of getting malware onto the company network”

  1. Marc45 says:

    What a brilliant tactic!

  2. bkad says:

    I’ve seen this reported several times before (I work in a security-conscious industry, so they brief us on these things, as well as banning USB keys). I wish I could find the reference. I’m sure it’s old news! But if not, it’s a good thing to be aware of.

    Also be careful of USB keys you find lying around INSIDE the building, especially common areas (bathrooms, cafeterias, halls) that accessed by visitors.

  3. relawson says:

    Old trick, actually.

    I remember a few stories a long time ago about different entities that did the same thing ON PURPOSE to see how many employees would just plug them into their workstations. The programs on them would phone home upon insertion for tracking.

    It really is one of THE best attack vectors these days. Thankfully, Microsoft realized this and threw out a patch http://technet.microsoft.com/en-us/security/advisory/967940 

    Still an “optional” update, though :(  I’ve had autoplay disabled through GPO for many years, though, for this very reason.

  4. semiotix says:

    Social engineering at its finest. Well, naturally I’ll need to closely examine the contents of this flash drive… to discover its owner, of course. It’s not snooping if I have a good reason!

    This is going to work for as long as there’s removable storage. Fairly won, malware criminals!

  5. Alcofribas says:

    Wasn’t this the theorized technique used to get Stuxnet onto the computers at the Iranian nuclear facilities?

  6. An old ruse! I would mail them to named employees inside innocuous PR guff from the Humane Society or whatever. I’m 1337, me!

  7. Paul Weimer says:

    Its not a new idea.

    At a company I once worked for, the IT department tried this trick (dropping the sticks in common areas in the building) as a way to see if people would plug in the USB…of course the USB had a program on it to tell IT that the fool employee had done just that. 

    • stovedoor says:

       Yeah, internal testing is way easier than external. Even with autorun disabled, you still get a pretty high success rate.

      Filename :Sarah_From_Marketing_NAKED.jpg.bat

      Contents:
      echo off
      echo  that idiot %username% plugged a ‘found’ thumbdrive into %computername% at %date %time% >> \serveridiots.log
      msg %username% /server:%computername% Way to forget your training. You are going to get in soooo much trouble.
      exit

    • angusm says:

      1. Find USB stick lying on the ground in the parking lot.
      2. Wait until {rival for promotion/hated enemy/guy who stole my food from the fridge} goes for lunch leaving their computer unlocked
      3. Insert USB stick in their computer
      4. ????
      5. PROFIT!

  8. moonglum says:

    As of 2012, ‘Classic’.

  9. vdev says:

    Autorun was one of Microsoft’s best ideas

  10. L_Mariachi says:

    What kind of inept IT department rolls out Windows installs with autorun enabled?

  11. Palomino says:

    Working at Sprint: Our building was secure. The office/lobby  & main hub was separated by key card devices.  The only time non-employees were allowed into the lobby was to fill out applications. We had a stream of “applicants” dropping these USB sticks, leaving them in the waiting room, in the couches and bathroom. 

  12. simenmm says:

    Who the hell figured it would be a good idea to let computers run any old code that asked for it as long as it was on a USB stick? The problem isn’t with employees who aren’t familiar with autorun on USB sticks or IT departments that have chosen not to epoxy shut the USB ports, it’s with the enormous backdoor that was built into the computers so people wouldn’t have to click on an icon to execute code.

  13. That_Anonymous_Coward says:

    The amazing part of the story is someone found one of these and rather than slam it into a nearby usb port looking for pron they took it to the IT department to let them deal with it.

  14. traalfaz says:

    I think what people are remembering is that some group, a university class IIRC or perhaps a security group, did this strictly as a feasibility test a few years back and it was widely reported.  In that case they had software that autorun started, and all it did was report back to a central server that it had been activated.  Quite a lot of them did, way more than half IIRC, so it’s an extremely effective vector.

    Turn off autorun, people, there’s no reason to have it on.

  15. Ryan Lenethen says:

    Durr. Very old trick.

    Seriously though any security is only as strong as the weakest link, which is usually idiot users. Good for the IT guy that found it, or the user that turned it into IT rather than just plug it into their desktop. That said, usually when they employ this tactic, the would probably drop a bunch over a period of time. Could be that a number of accounts are already compromised. However now that they are aware of it, unless it is a local employee looking to divert blame, IT should be able to be vigilant enough about remote access to catch whoever is trying to gain access.

  16. orgetorix says:

    Also interesting is that DSM recently sold off a chunk of business to a German competitor.

Leave a Reply