You didn’t stick that USB thumb drive you found into your computer, did you??!!
As employees become more cautious about opening email attachments and what Websites they visit, some hackers are resorting to more aggressive techniques to get their Trojans onto corporate networks. One technique that is being successfully used, is dropping a USB thumb drive in the company parking lot or somewhere in the building – either by itself, attached to a corporate lanyard or keyring, or with some type of name or word taped on the surface. While good Samaritans may be tempted to stick it into their computer to find out who it belongs to, this is the worst mistake they could possibly make. Here’s why:
1. Hackers who use this technique test their malicious code to make sure that it isn’t detected by any anti-malware applications. It is very dangerous to assume that scanning the thumb drive for malware, even on a stand alone computer, will ensure that it free of malware.
2. Hackers may place documents, videos, MP3s, or presentations that are repackaged with zero-day exploits.
3. Hackers may create documents containing file names that include the words “draft”, “confidential” or “for internal use only” to tempt personnel into opening documents or executables disguised as documents. Clever hackers will package their disguised executable so that it opens an actual document on the thumb drive while performing other actions to facilitate installation of a Trojan.
4. The thumb drive may install a “sleeper” Trojan onto a system that doesn’t do anything right after it’s installed. As a result, personnel may be lured into believing that the thumb drive is harmless. The sleeper Trojan may not become active for several days or weeks after being installed.
5. The malicious code on the thumb drive may check the system date before installing a Trojan, to ensure that several days or weeks have lapsed since the Trojan was left to be found. This may also convince someone that the thumb drive is harmless and can be used.
So what to do?
First, organizations needs a policy and procedure for using thumb drives, including labeling, storage and use outside of the facility. All thumb drives should have some type of marking that can be traced back to the person to whom it was issued. Use of personal thumb drives should not be allowed.
Second, organizations needs a policy and procedure for all removable media that is found on the premises or received through the mail unsolicited. This includes USB devices, CDs and DVDs – even if they appear to be new and sealed in original packaging. Unidentifiable USB thumb drives that appear to have been lost should be put in an envelope, without any attempt to determine who owns it, and labeled with where it was found, by whom, date and time. The envelop should then be turned over to a department for safe keeping until the owner comes looking for it. While it may be tempting to allow the IT department to figure out who owns the thumb drive, a clever hacker can mislead the IT department into believing that the thumb drive belongs to someone who doesn’t own the thumb drive.
Third and lastly, anyone who loses a thumb drive while outside of the facility, which is returned at a later time, should assume that the security integrity of their thumb drive is compromised – either intentionally or unintentionally. The thumb drive should not be used for the reasons listed above. It needs to be turned over to the IT department for reformatting.
Find all of this fascinating? Want to learn other ways hackers can get onto corporate networks without being detected? Read my book!