Beware of Sophisticated Malicious USB Keys

KB4-CON-RogerMalicious USB keys have always been a problem. There is almost no professional penetration testing team that does not drop a handful of USB keys outside of any targeted organization and see success from employees plugging them in and opening boobytrapped documents or running malicious executables.

My favorite trick, when I was a full-time penetration tester, was to label the dropped USB keys with the company’s name and include a malicious file labeled “Pending layoffs”. Employees could not wait to plug those in and open the file.

KnowBe4 even has functionality for creating and tracking simulated USB key drops built-in to our software. The feature can tell you who plugged them in and launched the simulated malware, who typed in their passwords, and so on. It is a great feature for administrators who want to test and educate their employees on potential social engineering attacks. We even had sysadmins hit by their own simulated USB creations because they forgot about them, had them laying around, and plugged them in many months later. That’s embarrassing.

USB key attacks are real. They do happen. Some ransomware gangs in particular are known for focusing on using USB attacks. In 2020, Sophos reported that seven percent of ransomware attacks (172 incidents) started via USB. It was the only ransomware report touting USB keys as a key root compromise, and it is likely that Sophos’ customers experience really reflected that stat because they were more commonly hit by a ransomware program from the ransomware group that more likely uses USB keys, but it is used by more than one ransomware group and by real-world hackers in general. Here are some related news stories:

Sophisticated USB Attacks

Many readers may visualize attackers dropping plain, unmarked, USB keys into parking lots and hoping for the best. But USB attackers can be quite sophisticated and go above and beyond in the branding and marketing of their malicious USB keys. Some are creating official looking “FedEx” packaging, which includes professional-looking, high-quality, folders, letters, and USB keys. Some of these USB scams are so, so good, I wonder if I could spot the phish. Here are two examples:

Fake Microsoft Office Scam

In this example, the potential victim was mailed out what looked like a (free) version of Microsoft Office Professional plus (see images of the package below taken from Twitter).

USB Scam Example

Is this original, legitimate, Microsoft packaging the hacker simply re-used or is it newly created, fake branding? I do not know. It is that good.

Fake Ledger Crypto Device

Ledger is one of the world’s leading physical device cryptocurrency wallet vendors. They make high quality crypto wallets that significantly decrease the risk of online and offline cryptocurrency attacks. In July 2020, a servicing vendor was compromised leading to the theft of Ledger’s customer list. Ledger, rightfully, notified customers and it was a moderately big story at the time. Ledger warned customers to be alert about potential future attacks related to the theft of their information.

Well, Ledger’s caution to their customers was warranted. In June 2021, an attacker made up very sophisticated, Ledger-branded packaging enclosed by shrink wrap. See images below from a news article:

Here is the external packaging box:

Ledger Example

It contained a compromised Ledger device, letter, and instructions, telling customers that the previously announced (real) compromised required that Ledger send all impacted customers a new, “improved” Ledger device which they need to “upgrade” to. Here is the letter.

Ledger Example

It is on a fake Ledger-branded letterhead supposedly signed by the Ledger CEO, with a fake signature. The instructions looked like this:

The instructions told the potential victim how to “install” the new Ledger device. If the potential victim followed the instructions, all their cryptocurrency protected by the Ledger device would be stolen.

The original person, the original potential victim, reporting the scam did not fall for it. But how many other Ledger customers who got sent the fake packaging, letter, instructions, and new compromised device did?

Again, if I was a Ledger customer, would I have noticed the scam? I am not sure. I hope I would…but I am not 100% sure. What about our average end-users? Since over 30% of our uneducated co-workers will click on what we think is an obvious, fairly unsophisticated, phishing scam, I have to believe that a higher percentage would fall for these types of very sophisticated, professional-looking USB scams, if appropriately motivated by the subject matter and purported vendor. So, what can you do?


All cyber defenses have three main components: policies, technical defenses, and education.

Make sure your organization’s policies instruct employees to be aware of such attacks, and that they are never to pick up an unknown or unapproved mobile storage device (of any kind) and plug it into organization resources. Unknown USB devices should be reported and given to IT security. That is Step 1.

Secondly, install technical defenses which prevent unapproved mobile media from being successfully plugged into or accessed on company resources. Make sure autoruns is disabled. Make sure antivirus programs always scan successfully access mobile media devices. This includes even camera media cards.

Lastly, and most importantly, make sure your employees are educated (use this article) about the increasing sophistication of USB attacks that include very professional-looking packaging and branding. We are not in the “anonymous” USB key dropped in a parking lot stage of attacks anymore.

Education is key because no matter how great your policies or technical controls are, there is always a chance something bad will get by. And none of your great policies and technical controls on organization-managed devices will stop the employee (or child, parent, etc.) from falling for the same scheme on a non-managed asset. There is no perfect defense that can prevent cybersecurity badness from getting to all users and people.

If you are concerned about USB attacks, make sure to do simulated USB key attacks. Certainly, you can try the old, anonymous USB-style of testing, but if you really want to be sure which employees would or would not be caught up by a more sophisticated USB scheme, send a simulated USB branded package to the employee’s work location or home using the regular “snail mail” delivery service. Just a few key employees compromised by your simulation can be used to help educate the rest of the company. As with any phishing simulation test, make sure to get senior management approval first. No one ever got promoted by proving to the CEO they could also be phished (without prior notice).

Simply educating your employees about USB key attacks is one of the best things you can do to prevent these types of attacks.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Cybersecurity Awareness Month 2022 Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews