USB Scam: Don’t fall victim

Why the human factor is the biggest threat to cybersecurity

By: David Greenham, CISSP, CISM, CISA, SCF, QSA, Sr. Manager, Richter

Hackers and attackers are constantly trying to infiltrate the safety of corporate firewalls. These individuals are becoming increasingly clever and creative in finding new ways to infiltrate a company’s network. No longer are they limited to trying to break into the network from the outside. With a little help from an unwitting insider, the attacker could open up a back-door into the company’s network, and the system is then theirs for the taking. How? Welcome to social engineering.  



The term social engineering refers to exploiting security weaknesses involving the “human factor”.  People are commonly known to be the weakest link in information security, and the practice of social engineering usually involves preying upon people’s general tendency to want to help other people. This has often included an attacker calling a company’s help desk and impersonating a user in the attempt to have that user’s password reset. Now though, attackers are taking this one step further, and one step more removed from having to interact with company employees directly, while still gaining the access they desire.  

An emerging form of social engineering involves dropping a USB thumb drive in a public place. The thumb drive contains a malicious payload that could launch when someone plugs it into a computer. The malicious payload could contain a Trojan horse, rootkits, or even ransomware, and the consequences could be dire. An attacker could create a remote connection into the victim’s computer, or could even gain full remote control of said computer. For example, the attacker could launch a keystroke logging program on the victim’s computer that would send all keystrokes (which would include user IDs, passwords, banking information, credit card numbers and other sensitive information) back to the attacker. The attacker may be intent on infiltrating further into the network and may launch additional attacks from the victim’s PC in an attempt to get to even more sensitive/abundant data (e.g. databases).  If the USB drive’s payload contains ransomware, it could lock the victim’s files and demand a ransom in order to have them unlocked.

This type of attack is intended to prey on people's curiosity (Who owns this USB? What's on it? Will someone be in trouble if it gets into the wrong hands?).  If the attacker is intent upon breaking into a particular company, they may target that company’s parking lot or public areas within the company’s premises, such as the lobby, a cafeteria, washrooms or other similar locations.

Some ways that the attacker may choose to make the USB thumb drive even more enticing to a victim could be to label it with “payroll” or “confidential”, etc. Attackers could also attach an actual, physical key to the thumb drive, like a keychain, to give the appearance of the USB a greater sense of presence or importance.

Honestly, do people really fall for this?

Yes. During the recent Black Hat USA 2016 security conference in Las Vegas, NV, Elie Bursztein, a security researcher at Google, gave a presentation entitled “Does Dropping USB Drives Really Work?”[1], during which he discussed his study about USB drive dropping. In this study, his team planted nearly 300 USB keys across the University of Illinois Urbana-Champaign campus to study the behavior of those who picked them up. In his study, Bursztein found that a shocking 45% of people who picked up a USB key plugged it into their computers, which enabled the key to “phone home”. To an attacker, those are pretty good odds.

Shouldn’t my antivirus software protect against threats like this?

Antivirus software is signature-based, which means it looks for attributes and behaviours of certain files that have been previously found to be malicious. These days, attackers can modify/mutate their malicious software enough to avoid detection and stay one step ahead of the signature-based anti-malware tools.  Additionally, since new operating system vulnerabilities are continuously being discovered, attackers are usually ahead of the defenders, and the defenders are continuously playing a game of catch-up to provide updates to their signature files.

What can be done to prevent this type of attack?

Employee awareness is the key to combating this type of threat. Companies should ensure that their personnel are aware of the risks that this form of social engineering presents. The message should be clear: if you see a USB key lying around within the grounds of your workplace, bring it to your security department. If it is lying outside of your workplace, it is better not to pick it up.

During his talk at Black Hat, Mr. Bursztein used the analogy of finding food on the ground. You wouldn't pick up food off the ground and eat it, so don't pick up stray USB keys and plug them into your computer. Either way, you're likely to get sick.

How Richter can help:

Prevention is key. Richter offers security awareness training to our clients’ personnel, and can assist you in developing an endpoint security strategy to evaluate and select products that best fit your company’s security needs.

Learn more
: CEO Scam: You're a target. Don't become a victim.


About Richter: Founded in Montreal in 1926, Richter is a licensed public accounting firm that provides assurance, tax and wealth management services, as well as financial advisory services in the areas of organizational restructuring and insolvency, business valuation, corporate finance, litigation support, and forensic accounting. Our commitment to excellence, our in-depth understanding of financial issues and our practical problem-solving methods have positioned us as one of the most important independent accounting, organizational advisory and consulting firms in the country. Richter has offices in both Toronto and Montreal. Follow us on LinkedInFacebook, and Twitter.

Expert Showcase