On Thursday, the FBI warned that a group of hackers used a mailing service in the US to send USB drives filled with malware to companies in the defense, transportation and insurance industries. Criminals then hope to have employees gullible enough to put them on their computers, thereby creating an opportunity for a ransomware attack or other malware deployment.
A group of hackers called FIN7 is said to be behind this action, they have made the parcels look harmless.
In some cases, the packages looked as if they were sent by the US Department of Health and Human Services, with notes explaining that the USB drives contained important information about COVID-19 guidance. In other cases, they were sent as if through Amazon, along with “decorated gift boxes containing fake thank you letters, fake gift cards and USB sticks,” according to the FBI warning.
The scheme appears to have been going on for at least several months, with the FBI saying it began receiving reports of such activity last August.
FIN7 is a sophisticated cybercriminal group that is reported to have stolen more than 1 billion USD through various financial hacking schemes. In the past, this group has also been linked to notorious ransomware, such as DarkSide and BlackMatter, and last September, security researchers reported that FIN7 also created a tool fake cybersecurity company to recruit IT talent for its operations.
Plugging a strange USB into a computer sounds like it’s very unlikely, but a 2016 study by the University of Illinois and the University of Michigan found that there’s about a 50 percent chance of it happening. And for a company, just one gullible person is enough to open the door for hackers to penetrate. In general, if a random stranger gives you a USB as a gift, it’s best not to touch it.