Don’t Take The Bait!

baitHaving just discussed phishing on Monday, it makes sense to cover the social engineering practice called “baiting” today.  Typically, this involves an attacker leaving removable media such as a USB flash drive or SD Media card lying around in a public location. The exploit depends entirely on the principle of “finders-keepers.”  People pick these drives up, and plug them into the first computer they can.  Hey look – full of files with interesting looking file names.  And maybe enticing pictures?  Opening these documents from a flash drive will have the same effect as opening an email attachment – whatever the file was designed to do will execute.

The most infamous successful baiting attack was the Stuxnet attack against the nuclear energy laboratories in Iran by the US and Israeli military cyberwar units.  So this is not a trivial exploit.  If I want to get a remote access Trojan into a specific company, a piece of USB flash drive bait can be the best way.

A recent study, as reported on Naked Security, found that 68% of the USBs they left as bait were plugged into computers without any precautions.  Another startling statistic in the article was that “in 2011, Sophos studied 50 USB keys bought at a major transit authority’s Lost Property auction, finding that 66% of them – 33 – were infected.

Many Internet security software products will automatically prompt a user to scan a flash drive when plugging into a protected computer.  This would be a good way to check the drive before you start rummaging around in the contents.  Or just skip the juicy contents entirely and reformat the flash drive.  Now it is yours to use without all that pesky malware.

Just remember, sometimes good luck is really bad luck in a clever disguise.  Don’t fall for this one.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.