Dropped infected USB in the company parking lot as a way of getting malware onto the company network

Workers at the Dutch offices of DSM, a chemical company, report finding USB sticks in the company parking lot, which appeared to have been lost. However, when the company's IT department examined the sticks, they discovered that they were loaded with malware set to autorun in company computers, which would harvest employee login credentials. It appears that criminal dropped the keys in the hopes of tricking a employees into getting them into the company network.

Cybercriminelen doen poging tot spionage bij DSM

Cybercriminals do attempt to commit espionage at DSM (Google Translate)

(via /.)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Business • Gadgets • netherlands • security

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

Marc45

What a brilliant tactic!
- http://glitch.tl/ Michael Smith
  
  I read about it at least five years ago, possibly on bb or slashdot.
  - https://twitter.com/PhoetrySlam Cyran0
    
    I read something similar, oh, say, 20 years ago.
    
    I believe it was called the Aeneid, or something . . .
    
    (Oh, c’mon, someone had to say it! ;) )
    - http://swamiatma.myopenid.com/ Alles Klar
      
      I read something exactly like this about 2,000 years ago. It originated from Judas.net
      - http://twitter.com/bornmw ʘleg Mikhᵉₑv
        
        C’mon, Trojan incident happened at least 1000 years before you read it, circa 1190 BC
bkad

I’ve seen this reported several times before (I work in a security-conscious industry, so they brief us on these things, as well as banning USB keys). I wish I could find the reference. I’m sure it’s old news! But if not, it’s a good thing to be aware of.

Also be careful of USB keys you find lying around INSIDE the building, especially common areas (bathrooms, cafeterias, halls) that accessed by visitors.
relawson

Old trick, actually.

I remember a few stories a long time ago about different entities that did the same thing ON PURPOSE to see how many employees would just plug them into their workstations. The programs on them would phone home upon insertion for tracking.

It really is one of THE best attack vectors these days. Thankfully, Microsoft realized this and threw out a patch http://technet.microsoft.com/en-us/security/advisory/967940

Still an “optional” update, though :( I’ve had autoplay disabled through GPO for many years, though, for this very reason.
semiotix

Social engineering at its finest. Well, naturally I’ll need to closely examine the contents of this flash drive… to discover its owner, of course. It’s not snooping if I have a good reason!

This is going to work for as long as there’s removable storage. Fairly won, malware criminals!
http://twitter.com/open_mix Alcofribas

Wasn’t this the theorized technique used to get Stuxnet onto the computers at the Iranian nuclear facilities?
http://boingboing.net/ Rob Beschizza

An old ruse! I would mail them to named employees inside innocuous PR guff from the Humane Society or whatever. I’m 1337, me!
http://twitter.com/PrinceJvstin Paul Weimer

Its not a new idea.

At a company I once worked for, the IT department tried this trick (dropping the sticks in common areas in the building) as a way to see if people would plug in the USB…of course the USB had a program on it to tell IT that the fool employee had done just that.
- stovedoor
  
  Yeah, internal testing is way easier than external. Even with autorun disabled, you still get a pretty high success rate.
  
  Filename :Sarah_From_Marketing_NAKED.jpg.bat
  
  Contents:
  echo off
  echo that idiot %username% plugged a ‘found’ thumbdrive into %computername% at %date %time% >> \serveridiots.log
  msg %username% /server:%computername% Way to forget your training. You are going to get in soooo much trouble.
  exit
- http://www.disoriented.net/ angusm
  
  1. Find USB stick lying on the ground in the parking lot.
  2. Wait until {rival for promotion/hated enemy/guy who stole my food from the fridge} goes for lunch leaving their computer unlocked
  3. Insert USB stick in their computer
  4. ????
  5. PROFIT!
  - http://tomxvesely.blogspot.com/ thomas vesely
    
    archfiend of the week award in mail.
  - min amisan
    
    Why wait to find a USB stick? Just bring your own ton of malware and load it onto the guy’s PC.
moonglum

As of 2012, ‘Classic’.
http://pulse.yahoo.com/_CGUZJZ3IVNH66EXXB6JY23VPR4 vdev

Autorun was one of Microsoft’s best ideas
- howaboutthisdangit
  
  “Security? Our customers don’t want security, they want convenience!”
  - http://tomxvesely.blogspot.com/ thomas vesely
    
    could not autoplay be configured to scan for security automatically first ?
L_Mariachi

What kind of inept IT department rolls out Windows installs with autorun enabled?
Palomino

Working at Sprint: Our building was secure. The office/lobby & main hub was separated by key card devices. The only time non-employees were allowed into the lobby was to fill out applications. We had a stream of “applicants” dropping these USB sticks, leaving them in the waiting room, in the couches and bathroom.
simenmm

Who the hell figured it would be a good idea to let computers run any old code that asked for it as long as it was on a USB stick? The problem isn’t with employees who aren’t familiar with autorun on USB sticks or IT departments that have chosen not to epoxy shut the USB ports, it’s with the enormous backdoor that was built into the computers so people wouldn’t have to click on an icon to execute code.
That_Anonymous_Coward

The amazing part of the story is someone found one of these and rather than slam it into a nearby usb port looking for pron they took it to the IT department to let them deal with it.
traalfaz

I think what people are remembering is that some group, a university class IIRC or perhaps a security group, did this strictly as a feasibility test a few years back and it was widely reported. In that case they had software that autorun started, and all it did was report back to a central server that it had been activated. Quite a lot of them did, way more than half IIRC, so it’s an extremely effective vector.

Turn off autorun, people, there’s no reason to have it on.
Ryan Lenethen

Durr. Very old trick.

Seriously though any security is only as strong as the weakest link, which is usually idiot users. Good for the IT guy that found it, or the user that turned it into IT rather than just plug it into their desktop. That said, usually when they employ this tactic, the would probably drop a bunch over a period of time. Could be that a number of accounts are already compromised. However now that they are aware of it, unless it is a local employee looking to divert blame, IT should be able to be vigilant enough about remote access to catch whoever is trying to gain access.
orgetorix

Also interesting is that DSM recently sold off a chunk of business to a German competitor.