Having just discussed phishing on Monday, it makes sense to cover the social engineering practice called “baiting” today. Typically, this involves an attacker leaving removable media such as a USB flash drive or SD Media card lying around in a public location. The exploit depends entirely on the principle of “finders-keepers.” People pick these drives up, and plug them into the first computer they can. Hey look – full of files with interesting looking file names. And maybe enticing pictures? Opening these documents from a flash drive will have the same effect as opening an email attachment – whatever the file was designed to do will execute.
The most infamous successful baiting attack was the Stuxnet attack against the nuclear energy laboratories in Iran by the US and Israeli military cyberwar units. So this is not a trivial exploit. If I want to get a remote access Trojan into a specific company, a piece of USB flash drive bait can be the best way.
A recent study, as reported on Naked Security, found that 68% of the USBs they left as bait were plugged into computers without any precautions. Another startling statistic in the article was that “in 2011, Sophos studied 50 USB keys bought at a major transit authority’s Lost Property auction, finding that 66% of them – 33 – were infected.“
Many Internet security software products will automatically prompt a user to scan a flash drive when plugging into a protected computer. This would be a good way to check the drive before you start rummaging around in the contents. Or just skip the juicy contents entirely and reformat the flash drive. Now it is yours to use without all that pesky malware.
Just remember, sometimes good luck is really bad luck in a clever disguise. Don’t fall for this one.Share