A malicious USB device and letter was sent out that was in the guise of a gift card for Best Buy where users were thanked for being customers and the USB device supposedly had gifts customers could choose from up to $50.00. Instead, the USB contained a PowerShell code that installed a malicious JavaScript according to security researchers at Trustwave.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
This is reminiscent of how phishing and some of the first ransomware attacks began – with physical mail. People would receive CD-ROMs or floppy disks in the mail claiming to have some valuable information or program on them. As soon as they insert it into their computer, the malware that was actually on the disk would execute, just as with this USB. This is a healthy reminder that phishing is not just in email format and users certainly can\’t trust the devices that are out there. That\’s why the whole concept of zero trust first came to light. It\’s important for organizations to continue cyber security awareness training while also implementing policies (such as restricting use of external media) and solutions (such as OS isolation platforms) that can prevent even accidental end user errors from causing significant damage.