Hackers can now surreptitiously turn your phone into a crypto mine or hijack your home computer network, but a new malware attack is more simple: just plug in a compact disk.
Several U.S. government agencies have received letters in the mail with CDs that contain malware, according to cybersecurity researcher Krebs on Security. The infected discs are accompanied by a Chinese-postmarked envelope and a confusingly-wording letter. State archives, state historical societies, and a state department of cultural affairs have all received letters addressed to them, according to the Krebs report.
The Multi-State Information Sharing and Analysis Center (MS-ISAC), which initially reported the issue, declined to comment.
‘Users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent.’ A University of Illinois Urbana-Champaign study looked at why people connected random USB drives to their computersPlugging a mysterious CD into your laptop may sound like laughably ill-advised idea, but a surprising number of people fall for it. Curiosity got the better of them: Nearly 50% of college students plugged USBs found on the ground into their computers, according to a 2016 study by the University of Illinois Urbana-Champaign.
“We find that a drive’s appearance does not increase attack success,” the researchers wrote. “Instead, users connect the drive with the altruistic intention of finding the owner. These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks then their peers.
Another similar study found that 20% of members of the public plugged USBs found in parking lots, picnic tables and sidewalks.
“This kind of scam highlights the fact that hackers don’t always rely on elaborate technology to deliver their malware,” said Sanjay Kalra, co-founder and chief product officer at cloud security company Lacework in Mountain View, Calif. “They’ll usually take the path that is most likely to collide with a user’s lack of awareness.”
Avoid taking USBs from strangers — even at conferences and other work-related events, Kalra said. Security experts warned journalists who received complementary USBs at the recent Trump-Kim summit in Singapore not to plug the devices into a computer.
Avoid taking USBs, even at conferences or other work-related events. Journalists were warned about this at the recent Trump-Kim summit in Singapore.These kinds of attacks are becoming less common but can be extremely dangerous, said Neil Hughes, vice president of OWI Labs, an San Francisco-based independent advisory firm focused on trust and the data economy. “Granting physical access, whether through a CD or a USB thumb drive, is the absolute worst thing you can do,” he said.
Small businesses struggle to bounce back from attacks like these. Almost half of cyberattacks (43%) worldwide in 2015 targeted businesses with fewer than 250 workers, according to Symantec, a security firm based in Mountain View, Calif.
The average cost of such a data breach for these small businesses is more than $36,000 and can be up to $52,000 including costs like notifying customers, mandatory forensic examination, credit monitoring affected customers for up to a year, and liability for fraud charges.
It’s more common to use USB drives than CD-ROMs because fewer computers come with CD drives, said Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of automated threat management solutions.
These scams are more likely to work on older, less tech-savvy consumers and small businesses. “That form of medium was most likely very specific to the intended audience — a government agency still using legacy systems that support CDs,” he said.
Get a daily roundup of the top reads in personal finance delivered to your inbox. Subscribe to MarketWatch's free Personal Finance Daily newsletter. Sign up here.
