An old threat to security has, once more, reared its head.
USB thumb drives (memory sticks, keys, etc.) are being left in company car parks, in cafes, in public parks – in fact almost anywhere a person may stumble across a “lost” USB drive.
The scammers buy these drives in large quantities; install trojans/malware on them and then leave them in an accessible place for people to find. The natural reaction of most people when finding one of these devices, even for the most honest of us, is to plug it into your PC and see what files may be stored there.
Even today, many companies and most private users have autorun enabled on their PC. Once the device is inserted it will execute the stored files and infect the machine in question. For a home user this may be anything from harmless to disastrous. The malware is often along the lines of key-logging or remote access script which will allow the scammers to gain access to any files you have stored on the machine – this can include sensitive documents, financial records and even your payment details for your credit cards and payment gateways.
In a company environment the damage can be much worse. The entire network can be compromised with user, super-user and admin level access being granted to some external agent. Imagine if your company’s user database was accessed by the scammers? All of your clients suddenly getting spam mails or having their accounts used illicitly.
How to avoid getting bitten
If you find a USB drive just lying around DON’T be tempted. Ideally, pass it over at your local police station or hand it over to a passing policeman. If you are on way to work, give the drive to your IT department, explaining where you found it. Let the experts examine the device and determine if it poses a threat.
If you must see what the device contains yourself, use a machine which does not have internet access and make sure you have autorun disabled before inserting the drive in your machine. Run any file you find in a sandbox to make sure your PC stays safe and use a good quality, reliable antivirus suite to scan the drive BEFORE using it at all.
Honesty is the best policy. If you find a USB drive, hand it in somewhere – it isn’t yours and the original owner may really need that drive!