A cybercrime group has been mailing out USB thumb drives in the hope that recipients will plug them into their PCs and install ransomware on their networks, according to the FBI.
The USB drives contain so-called ‘BadUSB’ attacks. They were sent in the mail through the United States Postal Service and United Parcel Service. One type contained a message impersonating the US Department of Health and Human Services and claimed to be a COVID-19 warning. Other malicious USBs were sent in the post with a gift card claiming to be from Amazon.
BadUSB exploits the USB standard’s versatility and allows an attacker to reprogram a USB drive to, for example, emulate a keyboard to create keystrokes and commands on a computer, install malware prior to the operating system booting, or to spoof a network card and redirect traffic.
While BadUSB attacks aren’t common, cyber criminals in 2020 posted BadUSB drives to targets in the post with a message claiming to be from BestBuy that urged recipients to insert a malicious USB thumb drive into a computer in order view products that could