Hackers Sending USBs In The Post

Cybercriminals are well versed in playing with our emotions to trick us into allowing them access to our computers. They’ll hit us with the negatives; the scaremongering, the urgency to act, and with the positives; you’re entitled to a refund, won a prize, inline for an inheritance. But the basis of their actions is only successful if we allow access to our devices.

As businesses have invested in cyber-security training for their employees to help them to spot malicious emails, the hackers have been thinking out of the box – if we are not clicking links on emails, how can they infiltrate our networks?

Enter Mally the Bear – the malicious code teddy

Reports have been coming out of the US of businesses being targeted via the good old-fashioned postal service. Hackers are sending out USBs in the post along with the usual ‘emotional’ tricks to prompt us to plug those USBs into our computers. They’ve jumped onto the pandemic bandwagon, adding notes about updated Covid-19 guidelines for businesses. And they’ve tried to seduce us with promises of free gifts and prizes.

But sending a teddy bear? This is a new level of malevolent seduction.

The bears were reportedly sent, along with the USBs, with the aim of ‘softening’ up potential victims. If someone is going to the bother of sending you a cute and cuddly teddy bear, then surely the USB must be safe?

Once these devices are plugged in, you’ve had it. The devices contain malware which immediately registers as a Human Interface Device (HID) Keyboard, allowing it to remain operational even after the drive is removed from the computer.

The message is clear – beware of what the post-person brings to you. Adopt a Zero Trust attitude. And never plug in a USB unless you have clearance from the IT dept to do so.