Many years ago cybercriminals used USB thumb drives to spread malware by dropping them in a public place. Once picked up and plugged into a PC, the USB installs malware or any other malicious software and attacker wants.

Now it seems as if this practice – known as a USB drop attack – has evolved according to the FBI.

Rather than dropping USB drives in random places in public, attackers are now posting infected thumb drives to potential victims. These drives are allegedly being posted by a Russian hacking group known as FIN7, and the packages are being sent through the United States Postal Service and United Parcel Service.

What makes this attack all the more concerning is that the packages appear to be from either the US Department of Health and Human Services or Amazon.

“There are two variations of packages—those imitating HHS are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB,” the FBI wrote in an alert sent to the New York Post.

The packages reportedly contain LilyGO branded thumb drives which can be easily purchased online. These drives are then loaded with BadUSB malware and an attack can be executed.

This isn’t the first time FIN7 has allegedly used this tactic. As Bleeping Computer reports, similar attacks were reported in February 2020, further reports in May 2020 revealed that the group was including teddy bears in the packages with the hope of lowering the person’s guard.

While this seems to be restricted to the US for now, we recommend not plugging random USBs into your PC, even if they come delivered with a teddy bear.

[Image – CC 0 Pixabay]