Security

Protecting Yourself from USB Malware

By April 8, 2019 No Comments

In the movies, hackers are portrayed to use high-level coding skills and custom equipment to gain unauthorized access; in real life, however, hackers mainly focus on taking advantage of people’s gullibility.

This past weekend, a woman named Yujing Zhang was arrested after she bypassed layers of security and gained access to the reception area of President Trump’s Mar-a-Lago resort. Zhang claimed she was there for a United Nations Chinese American Association event, and presented resort workers with documentation in the form of an “invitation” that was written in Chinese.

The receptionist knew this event wasn’t taking place, and shortly after, Secret Service agents stepped in to interview her. During the interview process, Zhang became “verbally aggressive,” according to the charging document. The Secret Service searched her belongings and discovered four cellphones, a laptop, a hard drive, and a USB thumb drive containing “malicious malware.” Zhang was eventually charged with making false statements to a federal law enforcement officer and entering a restricted area. This is just one instance of a possible USB malware attack that could’ve taken place if the resort workers weren’t careful.
USB malware attacks are similar to email phishing attacks and are surprisingly effective. Researchers at the University of Illinois and the University of Michigan found that if a person discards a USB stick somewhere, there’s nearly a 50% chance that someone will pick it up, plug it into a computer, and start clicking around. Researchers dropped 300 USB drives around these campuses, labeling them with return addresses, and attaching keys to make them look real. It only took six minutes for someone to get one of the drives and plug it in somewhere.

Hackers will drop USB sticks in the hopes that someone finds them, disguise their malware as commonly named files, and wait for someone to plug in the USB and click on their disguised files. “Salaries2016.doc” would be an example of a file containing malware. If this seemingly innocent document was clicked on, it would give the hacker the ability to activate the webcam on one’s computer, keep a running log of keystrokes, and much more. There are also special kinds of USB devices hackers use that trick the machine into thinking it is a keyboard. When you plug your keyboard into your computer, it is recognized right away, and your computer installs software so you can start typing immediately. Once this USB device is plugged in, it acts as a keyboard and installs whatever software the hacker has commanded it to install.

Throughout this research, many people reported back saying they were only trying to find the drive’s original owner. Nonetheless, curiosity got the best of them, and any of these people could’ve been subject to a malware attack just by plugging in a USB drive.