In what appears to be a mix of old- and new-school social engineering, an attack spotted in the wild using a USB thumb drive offers us a view into how one company could have become the victim.
One of the oldest forms of modern-day social engineering was the “dropping the malware-laden USB stick in the parking lot” scam. This month, security researchers at Trustwave clued the world in on an attempted USB drive-based scam (referred to as a BadUSB device) on one of their unnamed clients.
Here’s how it went down:
The client was mailed (MAILED!) a BestBuy gift card, a letter (on BestBuy letterhead) thanking them for their business and a USB Drive (which the letter indicated contained a list of items the gift card could be spent on).
Instead of falling for the scam, Trustwave was eventually called in to investigate. Upon plugging in the BadUSB device into a test workstation, a PowerShell script was launched which downloaded a second PowerShell script and a Jscript-based malware bot, installed the malware and even posted a fake message box to establish with the victim why there’s no list of items to be purchased with the gift card.
The malware collects a wide range of information about the infected machine and sends it back to the command & control (C2) server and then jumps into a loop awaiting instructions from the C2 server.
This scam is a wonderful example of how simple social engineering, a stolen empty Best Buy gift card, and an inexpensive BadUSB device (which only costs about $7 USD), can be used to infect an organization with malware that can be used to do anything its designers desire in the future.
The question you need to ask yourself is would your users fall for it?
If so, you need them to be put through continual Security Awareness Training where they can learn about social engineering, the various forms of scams that exist (including ones like this one), and how to avoid becoming a victim of each.