Would you plug in a USB that you got in the mail?

Malicious USB devices left in mailboxes.

I am not sure about you, but the one thing I ABSOLUTELY LOVE seeing when I open my mailbox is unsolicited mail. You know, junk mail.

Raise your hand if you are with me.

OK, all kidding aside, no one likes to see their virtual or physical mailbox filled up with unwanted things. Even with that said, marketing wonks will show that direct mail (even un-targeted) direct mail will get some people to convert to paying customers.

So why are we talking marketing on a security blog?

Glad you asked. You see recently police in Australia have started to warn citizens to NOT plug USB sticks that show up in mailboxes into their computers.

“The USB drives are believed to be extremely harmful and members of the public are urged to avoid plugging them into their computers or other devices.”

I guess the criminals thought, “hey, it worked for AOL,” when planning out this strategy to get people to install malware on their machines without having to resort to traditional cybercrime.

While the tactic may seem quite old fashioned, it is actually common for businesses to be infected with targeted malware via an attacker dropping a malicious USB in a parking lot. Earlier this year, we reported on a similar experiment that was conducted by Elie Bursztein that dropped USB sticks on a college campus. Surprisingly, 48% of those dropped were inserted into a computer.

By playing a numbers game, the criminals could have a good success rate. Hopefully the warning from the police came in time.

While this story centers on a city in Australia, it still highlights a piece of personal security that needs reinforcing now and then: Do NOT plug unknown devices into your computer.

Sure it may easy to stereotype the people who would plug these devices into buckets like uneducated, elderly or non-savvy, it is just not the case. The test from Bursztein shows even digital natives on college campuses will fall victim to plugging in a seemingly free device.


So why should you care?

For starters, a USB device can serve as the catalyst for a ransomware attack. If the device is set to autorun, plugging it in can start a chain reaction that locks files and leaves the user looking for a ransomware decryptor or paying the crooks. The device could also hold other types of malware that can log your key strokes, steal sensitive information or just bombard you with adware.

But I have AV and will scan the device first…

Sure some may smugly blurt out the comment above. The problem with that is that malware may not be the only danger lurking on that piece of removable media.

There is an old saying that possession is nine-tenths of the law in the case of the found USB, this can be quite alarming for the finder. Removable media could hold illegally obtained documents, illicit pictures or bank account information. While the finder may simply see things that, well, they cannot unsee, they may also become an accessory to a crime by possessing the files.

Aside from the aforementioned bad things, people who plug found devices into their computers could also be setting themselves back a pretty penny by killing their devices.

Sure it may sound quite the piece of science fiction; a USB device can fry a computer via the port. Earlier this month, it was reported that a USB Killer 2.0 was out for physical destruction. In principle, the device draws power into the device via the USB port and then shoots it back into the computer until the circuitry failed. While computer pricing varies by model and power, I am pretty sure that no one really wants to go buy a new one immediately.

So a quick show of digital hands here. Who likes opening junk mail? Who likes inserting found media?

The real question should really be: Is it worth it?

If you have friends, family or coworkers who like junk mail or would insert the USB, please share this post with them. After all, they will probably be reaching out to you to help fix it.