A number of infected USB sticks have been sent to Melbourne (Victoria) households recently, prompting a warning from local police. The (unmarked) devices contained a range of malware, including rogue media-streaming services.
Whilst this occurrence took place in Australia, leaving deliberately infected USB sticks in places for unsuspecting members of the public to access is not uncommon.
The perpetrators rely on natural curiosity for this particular infection-vector to work because once connected to a computer, the hapless user can unwittingly become infected and spread malware to others. It's relatively easy for the infected computer to show no outwards signs of being infected, making the hack even more pernicious.
Targetting households this way with USB sticks is rare, due to the cost of the devices and relative expense in distribution compared with (say) phishing emails. Where this vector of attack is employed, businesses are the usual target due to the greater potential rewards for expenditure.
The number of people willing and/or ignorant of the risks associated with inserting unknown devices onto their computers is surprisingly high as a study conducted by the University of Illinois discovered earlier this year. In their experiment, they strategically placesd 297 USB sticks around the university campus and were shocked to discover that between 45% and 98% of the sticks would have successfully infected computers (had they actually contained malware).
This lack of care with regards to USB drives extends beyond college students as evidenced in the well-publicised case involving the attack on an Iranian nuclear plant, subsequently affecting their uranium centrifuges. It is understood that (incredibly) a powerful virus known as Stuxnet was recently left on a USB stick which was then deployed within the Iranian nuclear facility.
What Does This Mean For your Business?
The message here is simple. Be very careful when considering introducing unknown devices onto your machine or network, for oviopus reasons.
What is less obvious is that even new devices, in full packaging, from high street shops may also be a security risk. Given the "number of hands" they change through from manufacturer through various distributors until they eventually reach the high street, malware can potentially be introduced at any stage.
Whilst no specific retailer is being mentioned in this context, the advice remains the same; be very careful when introducing new or unknown devices to your network and if in doubt, ask your security expert to verify it for you.