FBI Warns of Malicious Attacks Disguised as Gift Cards
Last week, the FBI warned that malicious hackers are mailing USB drives along with gift cards in a twist on the classic "lost USB" attack.
There are a many things humans seem to do innately. If you see an unlabeled button, you press it. If you see a cute kitten, you pet it. And, if you find a USB drive, you plug it into your computer to see what’s on it. Black hat hackers use the latter situation to their advantage to perform a “lost USB” attack. Plugging the USB drive in will cause some sort of code to run on your computer, usually with the goal of installing malware. This past Thursday, the FBI warned that malicious hackers are mailing USB drives along with gift cards in a twist on the lost USB attack.
There are many possible variations of this attack, but all of them rely on you to plug a USB device into your computer. To achieve that, they send you a package with the USB device along with some other items designed to convince you to plug it in. For instance, in one actual attack a person received a package that said it was from Best Buy. Inside was a $50 gift card, a short signed note from “customer relations,” and what appeared to be a USB drive. The note said the gift card was a reward for the person’s loyalty, and that they could check the USB drive for a list of products that could be purchased with the gift card.
That was, of course, all a farce. The USB “drive” was actually a device that emulates a keyboard when it’s plugged into a computer. Such devices are relatively easy to make using a Microchip ATmega32U4, which is the same microcontroller you’ll find in an Arduino Leonardo and several other development boards. Once the device is plugged into a computer, it begins typing out Windows PowerShell commands. Those commands are used to download and install a JavaScript bot, which can, in turn, install more malware. The FBI says that this tactic is currently being employed by the FIN7 cybercriminal group, but there is no reason other unethical hackers couldn’t do something similar. The best way to protect yourself is to simply avoid plugging any unknown or untrusted devices into your computer — though that may be as difficult as not pushing a big red button.