Hand-Delivered Hacking: Malicious USBs Left in Mailboxes

Julien Ascoet was already suspicious when he pulled the plain white envelope from his mailbox this past July. The letter had no stamp and was completely unmarked. Someone must have delivered it in person to Ascoet's home outside the French port city of Nantes.

"I opened it gingerly," the software engineer said in an online chat Thursday. "You never know what's inside. I was remembering an episode of (police procedural drama) 'NCIS' where they found a similar envelope with anthrax."

What Ascoet found was a memory stick with no note or explanation. It wasn't anthrax, but it could still be dangerous.

Memory sticks, also called thumb drives or USBs, are sometimes used to spread malicious software from computer to computer. This USB was branded, but Ascoet said the device appeared used and that he doubted there was any connection between the brand and the mysterious delivery.

Ascoet, who also works as a security researcher, eventually threw the device out -- although not before photographing it and posting the picture to Twitter .

"Never EVER plug in such present," he said by way of caption.

Stories like Ascoet's are anecdotal, but as web users get wise to rogue links and booby-trapped attachments, there are signs that cybercriminals are experimenting with hand-delivery of malware to people's homes.

On Wednesday, Australian police drew international attention when they announced that "extremely harmful" memory sticks had been left in mailboxes across the suburban town of Pakenham, about 60 kilometers (37 miles) southeast of Melbourne. Pakenham Police Sgt. Guy Matheson said in a telephone interview Thursday that the unmarked thumb drives started showing up several days ago.

Disguised as offers for Netflix or a similar service, Matheson said rogue programs lurking on the drives instead held victims' computers hostage, demanding a hefty payment in the electronic currency Bitcoin as ransom.

Matheson said two or three...

Comments are closed.