An Old Threat Resurfaces: Warn Your Team About This Scam

What’s old is new again. Remember the early aughts, when USB flash drives seemed like the definition of our technological future? Think about it: cheap, extremely portable devices that work on just about any computer anywhere and can store any file type you can imagine. It was and still is an awesome technology, even if the advent of cloud storage and faster internet speeds have limited our need for them.

The Problem with USB Flash Drives Back Then

The USB drive suffered from one very frustrating (and sometimes dangerous) problem, though: because of the way USB works, there was no effective way to stop a USB drive from auto-installing stuff whenever it got plugged into a new machine. The PC simply recognized the new drive and tried to read it, and that was it: the damage was already done. Simply reading the contents of the drive was enough to install malware. If hackers, scammers, or corporate thieves had the right tech capabilities, they could preload a flash drive with auto-installing malware that could steal your data, log your keystrokes, and more — and you’d likely never know. This threat got so bad that many companies banned USB flash drives entirely (or tried to, at least). Major universities and massive businesses discovered that they’d been attacked. Even governments started taking action (or suffering the consequences): the Stuxnet worm that partially destroyed an Iranian nuclear facility back in 2010 is believed to have been caused by USB drive attack. Somewhere along the way, cloud storage got easier to use and internet speeds started to increase, and the business world largely moved away from USB flash drives. So why the history lesson? Because the scam is back.

Why This Matters Today

Even though people in tech circles know that USB flash drives are a significant risk, the general public isn’t so aware. People are curious by nature, and the percentage of people who will plug in a random “lost” USB flash drive they find is alarmingly high, so the threat hasn’t gone away. And this year, quite a few new schemes have started popping up, using this old threat in new, creative ways. Here are three of them you should know about — and warn your team about before it’s too late.

“Microsoft Office Updates”

Probably the most dangerous new version of this scam has to do with Microsoft Office, or so it claims. Here’s how it works. Someone in your office receives an official-looking piece of mail. Inside is a USB flash drive that looks like it’s from Microsoft, along with some kind of letter telling the recipient that the USB flash drive contains an updated version of Office. Never mind the fact that absolutely all of those updates are delivered automatically over the internet these days; the packaging looks really convincing, and plenty of people will be fooled. Of course, if a user plugs in the drive, boom: instant malware all over their machine. You’ll also get a pop-up warning that something’s wrong, and you need to call “Microsoft support.” (Spoiler alert: it’s not really Microsoft support.) You can probably guess where this is going: the scammers will ask for credentials or bank details or some such thing, and your business or your team member’s personal financial data gets compromised.

“COVID-19 Warning”

Another version of this scam hit in January 2022, with cyber criminals shipping out flash drives claiming to be a COVID-19 warning from the US Department of Health and Human Services. The attack works essentially the same as the fake Office update, but this time preys on people’s concern about the pandemic.

“Amazon Gift Card”

The same report noted that other individuals received malicious USB drives claiming to contain a digital Amazon gift card. It’s not hard to see how some folks, motivated by $100 in free Amazon credit, would at least plug in the drive to check. And again — by then, it’s too late.

What You Can Do

So, what can you do about this threat? First, notify your team members. It’s probably been a few years (if not a decade) since the threat of a USB flash drive being dangerous has crossed anyone’s mind, so it’s time to change that. There are also other more complex steps you can take to secure your systems from malware attacks. We can help with these. Reach out to our team today if you’re concerned about the safety of your systems.