kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net

Malicious Actors Use USB Drives & Gift Cards to Lure Victims

The FBI has issued a threat advisory.

USB devices are being mailed to businesses across the country that contain malware.  The FBI warns that people working in Human Resources, Information Technology and Executive Management have been targeted.  Victims are being lured to insert an unknown drive into their computers.

Malicious actors have been sending out packages via United States Postal Services (USPS).  The USB devices are packaged in material easily bought from most USPS locations.  The USBs have been labeled with names specifically targeting the recipient of the device.  Many packages have contained a gift-card or teddy bear claiming to be from a trusted source, hoping it will be enough for the recipient to plug the unknown device into their computer.

In February of this year, a malicious actor shipped a USB to a large company in the hospitality sector claiming to be from Best Buy’s customer relations, with a loyalty reward for $50.  In the envelope was a USB containing a list of products eligible for purchase using the gift card.  The company did not give in to the malicious attempt and contacted security experts at Trustwave, who then revealed that they encountered a BadUSB attack.

“Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50.  You can spend it on any product from the list of items presented on a USB stick.  Thank you again for choosing us!”

The FBI states that the malicious drive will launch a command once plugged in to malware from a service controlled by the attacker.  The USB device then contacts domains or IP addresses in Russia.  The technique allows malicious actors to hack the firmware within the device, altering its functionality all together. The USB is a mousetrap with a function that will emulate keyboard presses on the affected computer, executing malicious commands in the background and downloading unknown malware as a final payload.

Who is behind this?

This threat appears to be coming from the group FIN7, a criminal organization that has stolen hundreds of millions of dollars since 2015.  The group is so well known that it is considered to be an “advanced persistent threat” or APT group.  These sorts of attacks were first detected in at the start of 2010, and for many years they represented a theoretical attack, it is now a reality. 

FIN7 is not only sending out malicious USB drives, but they are also sending out phishing emails.  FIN7 is known to exchange dozens of emails with their victims before sending the malicious payloads.  Last year, an employee at Red Robin Gourmet Burgers and Brews received an email that contained a complaint from a recent experience and urged the recipient to open the attachment for further details.  They did.  Within days, FIN7 had mapped Red Robin’s entire network and obtained the username and password for the restaurants point-of-sale software management tool.

Be aware.

Do not plug in any unknown USB devices to any computer system no matter how attractively it has been disguised or how large the attached gift card is.  If you want to protect your business, you need to educate yourself and employees on cybersecurity and the threats involved.

Please notify your local FBI office if you receive a questionable USB device, and above all else DO NOT insert the device into your computer.  Limit the expose of the package and handle it with care to preserve the DNA and fingerprints that may be obtainable from the package.