Gift card scam sends out malicious USB drives
Malware attacks using USB flash drives dropped in offices or public locations like car parks are not uncommon. But researchers at Trustwave Spiderlabs have been investigating a new attack disguised as a gift card.
The attack came in the form of a letter that appears to be from retail chain Best Buy offering a $50 gift to loyal customers. With the letter comes a USB drive supposedly containing a list of items to spend the money on.
This is where it gets sneaky, the USB device actually contains an Arduino microcontroller programmed to emulate a USB keyboard. Since PCs generally trust keyboard USB devices by default, once plugged in the keyboard emulator can automatically inject malicious commands into the system.
The drive could therefore be used to launch an attack and infect unsuspecting users' computers without them realizing it. This type of USB device with a built-in processor is widely known and used by security professionals. They are also cheap and readily available to anyone, so it's not entirely surprising to see the technique used in the wild by criminals.
The moral of the story here is never to trust a USB device if you don't know where it's come from.
You can read more details of the attack on the SpiderLabs blog.