Don’t plug it in! Scammers post infected USB sticks through letterboxes

Unexpectedly received a USB stick in the post? Whatever you do … DON’T PLUG IT IN!!

Police in the Australian state of Victoria are warning the public about cybercriminals’ latest tactic: randomly dropping unmarked USB sticks containing malware through letterboxes.

The criminals are of course hoping that the unsuspecting recipients will plug the freebie USB drives into their computers. The state police’s online news warns:

Upon inserting the USB drives into their computers victims have experienced fraudulent media streaming service offers, as well as other serious issues.

Police are urging anyone with information about the people behind the scam to contact Crime Stoppers.

Picking up and plugging in

The criminals behind the USB drop are tapping into our curious, well documented and inexplicable urge to plug in any old USB stick we find lying around.

Back in April, we reported about how vulnerable we are to malware shared through these abundant and inconspicuous devices. Surprisingly:

…almost half of dropped USB sticks will get plugged in.

A study published by a group of researchers from the University of Illinois, the University of Michigan and Google confirmed that many people would not only pick up and plug in a USB stick of unknown origin, but would also open files, click on unfamiliar links and send messages to email addresses they found on them.

USB sticks have long been a means for distributing malware. Nearly five years ago we studied 50 lost USB sticks and found them riddled with viruses; 66% of them were infected with malware.

Not just the public

But it’s not just the public that is vulnerable to these types of scams. In 2011 the Western Australian Auditor General carried out a security exercise in which it left USB sticks in public places. The sticks had software on them that phoned home when used.

Eight of fifteen government agencies involved failed the test, with agency staff connecting the USB sticks to their computers, allowing the devices to access their agency’s network.

If you find yourself the unexpected recipient of a mystery USB stick, break it so that nobody else can plug it in and then put it into the bin.

If you use USB sticks yourself then make sure you encrypt your data so you aren’t the victim of somebody else’s curiosity if you lose it.