Social enineering scam combines digital and physical methods of attack

News by Chandu Gopalakrishnan

Paper letters with printed socially-engineered messages use gift cards as lure to encourage victims to use malware-laced USBs

Cyber-criminals have always used free shopping as a successful lure. In an instance of phishing reverting to physical, an actual paper letter with a printed socially-engineered message along with a free USB drive and a gift card has been doing the rounds, reports SpiderLabs at Trustwave.

“This letter was supposedly from Best Buy giving out a US$ 50 (£40) gift card to its loyal customers. Included in this letter is a USB drive that claims to contain a list of items to spend on,” wrote researchers Alejandro Baca and Rodel Mendrez.

“One of our digital forensics and incident response retainer clients brought this device to our attention. One of their business associates received this suspicious letter. The note says the gift card is thanks for being a great Best Buy customer and that the USB drive contains a list of products that can be purchased with the card.”

As expected, the USB had malware and the gift card was blank.

The USB hosted Arduino microcontroller, which was programmed to emulate a USB keyboard. This obfuscation method uses the loophole of most security software which, by default, allows a USB keyboard to connect. Once connected, the device injects a payload, downloading additional code.

This attack cannot be treated as a form of phishing, said Ziv Mador, VP - security research, SpiderLabs at Trustwave.

“We do not consider this attack as phishing because it doesn’t attempt to capture credentials or other details from the user. In this attack, users who plugged in the USB dongle got infected with malware without relying on any further human interaction. It is a malware infection method that relies on social engineering, Mador told SC Media UK.

“Based on information from multiple sources which we received after posting this blog (about the attack), we tend to believe that the attack was carried out by the FIN7 APT, which is known to attack many companies in the past using various techniques.

This attack method has not been in use for some time, but several companies recently became targets to similar attacks, Mador said. However, he declined to share the details about the companies or their sectors.

A similar lure used to work in the form of coupons. Global e-commerce coupon marketplace Shopper.com’s latest security audit revealed an interesting loophole. 

“The registered users of our service are allowed to access the application process interface (API) to upload and download details regarding live coupons. Our audit found that such data could be used by aggregators to promote their own services. Even worse, malicious actors could use this data to lure free-deal-searching shoppers to their sites,” shopper.com founder Manoj Krishnapillai told SC Media UK.

“We have put tighter norms for access in place since this discovery,” he added.

E-commerce transactions have skyrocketed since Covid-related lockdown put everyone online all day, everyday. Cyber-criminals are making the most of this situation as more and more users share valuable data about their finance, activities and whereabouts online, SC Media UK reported.

How coupons are sent to customers can be an important factor in coupon fraud cases, said a Trend Micro investigation about the situation, published earlier. 

“Social media in particular is being used more for delivering great deals and acting as a marketplace for potential transactions. Cyber-criminals have identified this tactic and are devising their own legitimate looking coupons or discounts to scam social media users,” it said.

The tactic of using lures - gift coupons in this latest instance - to use USBs has been in use for years, both by threat actors and security experts emulating similar attacks, noted Martin Jartelius, CSO at Outpost24.

“We use it as one of the alternatives for companies measuring security by red team assessments. The risks have been around for years; back in the days of Windows XP, drives would emulate a CD drive and execute automatically upon insertion, and the U3 devices provided by some vendors were lovingly referred to as USB Switchblades,” he said, 

Cheap hardware makes its cost-efficient. Users don’t have to actually open a document to be affected. Once plugged in, the malware takes them by surprise.

“They could just as well have come built into USB fans, USB lights or USB Easter bunnies – anything you plug into a USB port can assume the role of any device," Jartelius added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews