Dropped infected USB in the company parking lot as a way of getting malware onto the company network

Workers at the Dutch offices of DSM, a chemical company, report finding USB sticks in the company parking lot, which appeared to have been lost. However, when the company's IT department examined the sticks, they discovered that they were loaded with malware set to autorun in company computers, which would harvest employee login credentials. It appears that criminal dropped the keys in the hopes of tricking a employees into getting them into the company network.

Cybercriminelen doen poging tot spionage bij DSM

Cybercriminals do attempt to commit espionage at DSM (Google Translate)

(via /.)


      1.  I read something similar, oh, say, 20 years ago.

        I believe it was called the Aeneid, or something . . .

        (Oh, c’mon, someone had to say it! ;) )

  1. I’ve seen this reported several times before (I work in a security-conscious industry, so they brief us on these things, as well as banning USB keys). I wish I could find the reference. I’m sure it’s old news! But if not, it’s a good thing to be aware of.

    Also be careful of USB keys you find lying around INSIDE the building, especially common areas (bathrooms, cafeterias, halls) that accessed by visitors.

  2. Old trick, actually.

    I remember a few stories a long time ago about different entities that did the same thing ON PURPOSE to see how many employees would just plug them into their workstations. The programs on them would phone home upon insertion for tracking.

    It really is one of THE best attack vectors these days. Thankfully, Microsoft realized this and threw out a patch http://technet.microsoft.com/en-us/security/advisory/967940 

    Still an “optional” update, though :(  I’ve had autoplay disabled through GPO for many years, though, for this very reason.

  3. Social engineering at its finest. Well, naturally I’ll need to closely examine the contents of this flash drive… to discover its owner, of course. It’s not snooping if I have a good reason!

    This is going to work for as long as there’s removable storage. Fairly won, malware criminals!

  4. Its not a new idea.

    At a company I once worked for, the IT department tried this trick (dropping the sticks in common areas in the building) as a way to see if people would plug in the USB…of course the USB had a program on it to tell IT that the fool employee had done just that. 

    1.  Yeah, internal testing is way easier than external. Even with autorun disabled, you still get a pretty high success rate.

      Filename :Sarah_From_Marketing_NAKED.jpg.bat

      echo off
      echo  that idiot %username% plugged a ‘found’ thumbdrive into %computername% at %date %time% >> \serveridiots.log
      msg %username% /server:%computername% Way to forget your training. You are going to get in soooo much trouble.

    2. 1. Find USB stick lying on the ground in the parking lot.
      2. Wait until {rival for promotion/hated enemy/guy who stole my food from the fridge} goes for lunch leaving their computer unlocked
      3. Insert USB stick in their computer
      4. ????
      5. PROFIT!

      1. Why wait to find a USB stick? Just bring your own ton of malware and load it onto the guy’s PC.

  5. Working at Sprint: Our building was secure. The office/lobby  & main hub was separated by key card devices.  The only time non-employees were allowed into the lobby was to fill out applications. We had a stream of “applicants” dropping these USB sticks, leaving them in the waiting room, in the couches and bathroom. 

  6. Who the hell figured it would be a good idea to let computers run any old code that asked for it as long as it was on a USB stick? The problem isn’t with employees who aren’t familiar with autorun on USB sticks or IT departments that have chosen not to epoxy shut the USB ports, it’s with the enormous backdoor that was built into the computers so people wouldn’t have to click on an icon to execute code.

  7. The amazing part of the story is someone found one of these and rather than slam it into a nearby usb port looking for pron they took it to the IT department to let them deal with it.

  8. I think what people are remembering is that some group, a university class IIRC or perhaps a security group, did this strictly as a feasibility test a few years back and it was widely reported.  In that case they had software that autorun started, and all it did was report back to a central server that it had been activated.  Quite a lot of them did, way more than half IIRC, so it’s an extremely effective vector.

    Turn off autorun, people, there’s no reason to have it on.

  9. Durr. Very old trick.

    Seriously though any security is only as strong as the weakest link, which is usually idiot users. Good for the IT guy that found it, or the user that turned it into IT rather than just plug it into their desktop. That said, usually when they employ this tactic, the would probably drop a bunch over a period of time. Could be that a number of accounts are already compromised. However now that they are aware of it, unless it is a local employee looking to divert blame, IT should be able to be vigilant enough about remote access to catch whoever is trying to gain access.

  10. Also interesting is that DSM recently sold off a chunk of business to a German competitor.

Comments are closed.