One trick companies use for outreach is to give out company-branded gifts. These can include a company-branded pen and notepad, a water bottle or the ever-present company keychain. Another item companies will send is a USB drive. It is usually branded with its logo and might contain some sales pitch files or a product catalog. These might seem harmless, but they aren’t always. Read on to see how cybercriminals are using them to spread malware.

Here’s the backstory

Checking out the content of any USB drive should be done with caution, even if it comes from a company or business that you know. But some users just can’t resist the urge of owning another 8GB or 16GB drive and pop them into a computer to format. However, a new malware scam could have dire consequences if you do. An investigation by the FBI revealed that cybercriminals have been mailing malware-infected USB drives to several industries. They hope that the recipients will insert the drive into their work computers. The industries being targeted are:

TransportationInsuranceDefense

While businesses are being targeted, criminals could soon begin sending infected USB drives to anyone. So beware. The FBI explained that in all cases, the USB devices were LilyGO-branded and contained several innocuous files like COVID-19 guidelines. But digging a bit deeper, the drives hide the BadUSB malware sent by the known hacker group FIN7. The USB will register to the computer as a keyboard and start executing pre-configured automated keystrokes. Launching the PowerShell on Windows machines automatically downloads and installs various malware. “FIN7 actors then used a variety of tools—including Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, TIRION — and deployed ransomware, including BlackMatter and REvil, on the compromised network,” the FBI said in a statement. The group has been on the agency’s watch list since 2018.

What you can do about it

Through various malware variants, hackers attempt to gain access to a company’s server to steal sensitive information. In some cases, the malware can launch ransomware attacks where the victim has to pay exorbitant amounts to get access back to its data. You should always treat a USB device with caution, no matter how curious you are. There is no telling what could be on it, especially if you lent it to someone. It should also go without saying that you should never insert a USB drive in your computer that has been mailed to you or one that you find on the street.

Keep reading

If you get this gift card in the mail, beware – it’s a trap 5 clever ways to use those old USB drives you have lying around