Cybercriminals recently attempted to infiltrate DSM, a multinational chemicals firm, by 'losing' malware-infected USB sticks in the company's parking lots. Thankfully for DSM, an employee who found one of the USB sticks dropped it off at the IT department, which in turn found spyware on the device, issued a warning, and collected the remaining USB devices.
Unfortunately, details on this story are scarce. For example, it's unclear what malware was used in the attack. All we know is that its purpose was to steal usernames and passwords, according to Dutch news site Limburger. DSM also blocked the IP addresses which the malware communicates with and sends stolen data to.
A DSM spokesperson said the company did not report the incident to the police because it was a rather clumsy attempt at data theft. Furthermore, the corporate espionage effort did not result in any damage.
This is a failed case of curiosity killed the cat. The perpetrators were clearly hoping that employees would plug in a found USB device to see what was on it. By that point, it would already be game over.
Frankly I think this is an ingenious way to infiltrate a company and something tells me it's not the first time it has been attempted. From what I gather, it's simply the first time that the method was discovered and easily thwarted.
It's hard to say if the employee in question let the IT department check the USB device because he or she was being cautious, or just wasn't curious. I know I would check the device myself without hesitation, though I would probably use my own computer, not one from work. Actually, that would probably depend on the time I found it: it would make sense for the criminals to "lose" the devices in the morning as opposed to the evening. Anyway, I'll definitely think twice when finding a USB device now, and so should you.