USB Scam: An Unsuspicious Attack in Action
Security researchers Karsten Nohl and Jakob Lell at the Black Hat security conference demonstrated how the security of USB devices has been destroyed and how it’s possible to infect any USB device using hidden or unknown malware. They used the malware which they created called the BadUSB to show this. The BadUSB resides in the firmware that controls its basic functions. The attack code can stay out of sight long after the contents of the device’s memory would come into sight to the average user to be removed.
Another malware named USBee can transfer data via USB emissions from air-gapped computers. It turns USB devices already present within the targeted facility into a transmitter without making any modification to the hardware.
Baiting is a form of social engineering that intends to provide access to a target computer or computer network. An attacker leaves a malware-infected device such as a USB stick with malicious content in a place where it is likely to be found by his bait. The person who finds the USB device picks it and inserts it into his or her computer. The malware is unintentionally installed and the system is compromised.
USB risk is not a new fad. Most of us know that it’s not safe to plug an unfamiliar USB into our computers. But given the recent trends, it doesn’t seem like many users are aware that malware can be injected into a computer with just a USB. We also know that it’s not advisable to run executable files from vague USB sticks.
Opening files on a suspicious USB is not any less like opening an email or attachment from an unknown source.
Detect and mitigate USB disseminating malware
Malware distributed through USB sticks poses a severe challenge for security teams due to its complexity to detect and contain. Introducing malware into an organization’s network by tricking users, without their knowledge, is an old trick that still seems to be successful. Last month, USB flash drives were reportedly being left in letterboxes in the Melbourne suburb of Pakenham. Victoria police issued a warning about using these USB devices.
Here are some tips for lowering your chances of unknowingly becoming a victim of this unstable situation:
- Erasing a USB drive may not be efficient considering the existence of firmware attacks such as BadUSB which would not be prevented.
- If the source of the USB device is unknown, don’t plug or insert it into your computer.
- Every organization must keep track of USB drives whenever it is used. If they find untrusted USB drives, they should test it.
- If employees attend a trade fair, exhibition or conference, provide them with a piece of temporary equipment and if something happens, check if any risk is aroused from that equipment.
- Turn off autorun to prevent any malware from installing by itself.
- Treat an abandoned USB with the utmost suspicion. Don’t plug it in. Instead, hand it over to the security team. If a USB stick contains a label “Confidential – from the company”, check with the concerned department if they have sent across any such USB sticks.
The strongest defense against baiting is employee education and training. An organization must have a strong security culture where company security is a core part of their individual employee work task. Companies should educate every employee about social engineering techniques including possible baiting schemes and train them to recognize, prevent, respond to these attacks.
– Rini Thomas