Criminals push malware by 'losing' USB sticks in parking lots

Criminals push malware by 'losing' USB sticks in parking lots

Summary: Here's a case of corporate espionage you've probably never heard before: infiltrating a corporation by "losing" malware-infected USB sticks in the company's parking lot. Thankfully for this multinational chemicals firm, the attempt failed miserably.

Criminals push malware by 'losing' USB sticks in parking lots

Cybercriminals recently attempted to infiltrate DSM, a multinational chemicals firm, by 'losing' malware-infected USB sticks in the company's parking lots. Thankfully for DSM, an employee who found one of the USB sticks dropped it off at the IT department, which in turn found spyware on the device, issued a warning, and collected the remaining USB devices.

Unfortunately, details on this story are scarce. For example, it's unclear what malware was used in the attack. All we know is that its purpose was to steal usernames and passwords, according to Dutch news site Limburger. DSM also blocked the IP addresses which the malware communicates with and sends stolen data to.

A DSM spokesperson said the company did not report the incident to the police because it was a rather clumsy attempt at data theft. Furthermore, the corporate espionage effort did not result in any damage.

This is a failed case of curiosity killed the cat. The perpetrators were clearly hoping that employees would plug in a found USB device to see what was on it. By that point, it would already be game over.

Frankly I think this is an ingenious way to infiltrate a company and something tells me it's not the first time it has been attempted. From what I gather, it's simply the first time that the method was discovered and easily thwarted.

It's hard to say if the employee in question let the IT department check the USB device because he or she was being cautious, or just wasn't curious. I know I would check the device myself without hesitation, though I would probably use my own computer, not one from work. Actually, that would probably depend on the time I found it: it would make sense for the criminals to "lose" the devices in the morning as opposed to the evening. Anyway, I'll definitely think twice when finding a USB device now, and so should you.

See also:

Topics: Security, IT Priorities, Malware, Tech Industry

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Good idea

    it is actually a pretty clever idea, most people would go and check the device to see what was on it. Which would result in an infection..
  • You missed the most obvious reason for turning it in

    Namely, the person being a good Samaritan and turning it in for return to the owner.
    • Yes of course.

      But I would still check the USB device first :P
  • This is nothing new..

    This scenario is part of the Security+ test I took today so this is nothing to even blink at, much less some kind of sophisticated new attack to warrant the drama of the summary.
    Arthur Whitehouse
    • User education has some benefits

      Hopefully, the employee that dropped off the USB stick to IT will get an on-the-spot award, perhaps covered in the organizations newsletter, as well as a gold star (not a real gold star) placed into their personnel file for their next performance appraisal.
      Rabid Howler Monkey
    • Definitely not new, but still worthy

      An IT professional may know this, but many average people would either be good samaritans, view it as a free USB stick and/or be curious if they could find anything juicy on it. Either way, they're likely to be plugging it in somewhere.

      This is exactly how Israel and/or the US got Stuxnet into an Iranian nuclear enrichment facility. Now think about that for a second. I'm guessing security is pretty vigilant in nuclear facilities and a fair amount of focus is placed upon awareness. And guess what, their employees still fell for it. Now, what's the likelihood of success with your average company if a nuclear facilty can be breached? And yeah, I know everyone uses endpoint security, but we all know that's not fullproof.

      After all, humans are very commonly viewed as the weakest link in enterprise security. So, why spend all day trying to penetrate a company's firewall when you can have one of their employees do it for you? And for what, the cost of a handful of noname USB sticks you got for less than $50?

      And I think the type of "drama" in the summary is what the tech media needs more of. IT pros can communicate risks to their users until they're blue in the face, but nothing sells like a real life example. In my company, people tend not to think much about infosec until something makes the news, no matter how much we preach. When something a security breach of some tech that we use make the news, I inevitably get a handful of alarmed calls asking "what do "we" do to prevent this"?
      • the good samaritan

        The real hero and the good Samaritan in this is the company that enables AutoRun in cd/dvd rom devices by default in their celebrated secure OS's, while somehow (to their own surprise) the very OS might mount a USB device as dvd/cd device, if still not enough, they add some vulnerabilities to the dish (Stuxnet). Interestingly, if you partition a flash thumbdrive into multiple parts, that very OS would only see/mount only one of these partitions.
        Do figure the true limitations of the Good Samaritan at Redmond!
    • They call them "road apples" here

      They got particularly serious about this sort of thing where I work, after a US military computer "in the Middle East" got infected in a similar way, so news spread pretty fast through the IT Sec community.

      After a lot of time spent in our annual training on "if it's not yours and we did not buy it for you, don't plug / put it in!", the IT Sec team decided to drop a few of these "road apples" in our buildings. The one I found was a CD dropped in the copier room with "Vacation Photos" scribbled on it. If you'd reactivated your Autorun function, or were silly enough to run the "autorun" file on the storage media, you'd get a not-so-malware program launch that would pop up a notice telling you that you'd done a bad-bad thing and that the program was automatically notifying the IT Sec team that you needed refresher training.

      Personally, I thought this was a pretty brilliant way to get the point across and provide a gentle newspaper-swat to the nose of people who don't follow policy. Unfortunately, as best as we can guess, some upper-division management blundered into this, because later the IT Sec department was forced to apologize to everyone for doing something so dastardly as actually testing to see if we followed policy.

      I remember having an IT Sec technician be pleasantly surprised when I asked to see his badge (he'd purposefully left it in his pocket) when he came around for a spot audit. I was the first person in months to even bother to find out who he was. At least most people did not give him their password or log in and leave him to work on their computer unsupervised.
  • Lucky the person thought about IT

    It's lucky the person thought about IT. In many companies they would just give it to their supervisor or manager and someone "in the chain" would decide to look at the contents rather than "bothering" the security folks.

    In fact, it's likely even someone wanting to return it might deliberately keep it from "the chain of command" to protect a fellow employee. If I find Harry lost it, I can just give it back to Harry myself--no need to make him look bad. I'm sure he'd do the same for me. Remember awhile back when a senior engineer at the Department of Veterans Affairs lost a laptop containing tens of thousands of identity records. The media had a field day with it. His reaction was, "The data is heavily encrypted. Without the appropriate passwords it's useless. No big deal." But the media went on for weeks.
  • Horse

    Didn't some one do something like that with a hollow horse?
  • So how did the IT dept scan the device without plugging it in first?

    "The perpetrators were clearly hoping that employees would plug in a found USB device to see what was on it. By that point, it would already be game over."

    But isn't this exactly what the IT dept would have done, too? So how did they scan it while avoiding infection themselves?
    • IT Pros

      If they're smart, have some old laptop or PC that they keep current with AV but isn't connected to their internal company network that they use to scan these types of things with (and don't use for much else).

      It's a controlled environment, so even if it gets infected, it can't really do any damage.
      • Except that...

        If the company's AV was capable of preventing the infection then it wouldn't have mattered even if the user had plugged the drive in him/herself.
        • Testing

          But if it wasn't this is one way to find out that fact.
    • Avoiding Infection

      Off Network PC?
      No Autorun/Scan before opening?
      Offline Scanner Utitlity

      Many ways.
      • Yes, off network....

        is probably the best option. That way you can run it through multiple tools that you don't necessarily want to license/run on every server and user PC. Because, as most of us know, none of the end point products detect everything. When it doubt, make it run the gauntlet of a few of your favorite AV/Security tools before you even think about trusting it.
        • Depending on the sophistication of the malware...

          Would you reinstall the PC after scanning, just in case something had slipped past all of your scanners and was now waiting to infect any other USB drive that you attached to it?

          I believe Flame/Stuxnet was able to propagate without a network by infecting USB drives. Being "off network" is no longer enough.
    • Plugging it in isn't the problem

      You have to open/run something on it, or have AutoRun for removable drives enabled. AutoRun is controlled by Group Policy, and no competent IT department would have it enabled on corporate PCs. The problem would therefore be users opening/running untrusted files/apps.

      An IT department certainly wouldn't have AutoRun enabled, and an IT technician wouldn't be naïve enough to open/run some untrusted file/app, so they would be immune to infection, but perfectly able to scan the USB device. As in most cases of malware, the weak point is the user.
    • Of course I would obviously be trolling...

      if I pointed out that they could have easily scanned it from a Linux machine that allows a competent IT person to have complete control over how a drive is mounted and what code will run from one.
  • I hope i'll find lots of these USB-sticks...

    ...because there is always some use for new Linux live-cd install. I'm looking forward especially Linux Mint 13 KDE.

    Get the USB-stick and format it with Gparted, enjoy and use it. Thanks God we got the Linux.