Police give out infected USBs as prizes in cybersecurity quiz

So ironic. You work hard to win a cybersecurity award, and what do you get? A USB drive stuffed with creepy-crawly nasty, that’s what.

The Taiwanese government last month celebrated its crackdown on cybercrime. The national police – the Criminal Investigation Bureau (CBI) – picked up 250 blank USB drives, each with an 8G capacity, to give out as prizes at the data security expo, hosted by the Presidential Office on 11-15 December.

According to the Tapei Times, an employee at a New Taipei City-based contractor, Shawo Hwa Industries Co., transmitted the malware to the drives when testing their storage capacity… from his infected work station.

Oops! the CBI said after investigating the infection, which wound up on 54 of the drives that were handed out to winners of a quiz about cybersecurity knowledge. “Winners of a quiz about cybersecurity knowledge,” as in, “people who hopefully know enough not to plug in random USB drives conveniently scattered throughout the parking lot but not necessarily those handed on a silver platter at a security expo.”

According to the CBI, the 54 drives picked up an executable malware file that goes by the name of XtbSeDuA.exe. The CBI said that the malware was designed, years ago, to suck up personal data and transmit it to a Poland-based IP address that would then bounce the information to unidentified servers.

Back in 2015, the malware was being used by an electronic fraud ring uncovered by Europol, according to the CBI, though I couldn’t find record of any such malware with that name.

At any rate, the CBI reportedly said that only older, 32-bit computers are susceptible to the malware and that common anti-virus software can successfully detect and quarantine it. Although some of the thumb drives – they were sourced from multiple vendors – were made in China, the CBI ruled out Chinese espionage.

The malware-as-a-party-favor came to light after expo participants complained that their anti-virus programs had flagged the drives as containing malware. The CBI retrieved 20 of the drives, leaving 34 of the drives wandering around in the wild.

The CBI said that the server set up to receive data from the malware has been shut down.

An anonymous source told the Taipei Times that the Presidential Office was not particularly pleased that one of its events – an event to celebrate its cybersecurity work, mind you – had been compromised. Who can blame them? This has to be one of the most embarrassing things that can happen at a security conference.

It likely won’t be much consolation, but this isn’t the first time security expo organizers have been embarrassed in exactly this same manner. In 2010, IBM admitted that the complimentary USB drives it handed out at an Australian security conference were infected by not one, but two pieces of malware.

You would imagine that companies handing out USB sticks would take care to ensure they’re clean, not crawling with malware, most particularly at a security conference. But right around that same time, it happened to Naked Security’s Graham Cluley at the RSA show in San Francisco. The RSA team asked Graham for a copy of his presentation so they could play it in a window next to his talking head. Just pop it on this USB stick, he was told. But as soon as he plugged it in, his Mac started squealing in alarm about the flash drive being infected.

We’ve seen supermarket giant Aldi selling removable hard drives complete with a pre-installed virus (a few years after it was selling pre-infected PCs, mind you); Olympus shipping pre-infected cameras; and Best Buy selling pre-infected digital picture frames.

As we’ve said in the past, any company handing out USB sticks to the public should make sure they’re squeaky clean, as opposed to secretly infected with malware, be they – ouch! – in the business of cybersecurity or selling lettuce or whatever tech product that’s able to be infected.

In spite of the CBI’s investigation showing that the malware came from a government contractor working at a government contractor’s computer, the office has demanded that the bureau launch another probe.