Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/10/2016
08:15 AM
100%
0%

10 Years Of Human Hacking: How ‘The USB Way’ Evolved

After a decade of clicking without consequence, users still haven't gotten the message about the dangers of rogue USB devices with malware hidden inside.

When my piece "Social Engineering the USB Way" ran in 2006, the intent was to create awareness about endpoint security and how plugging something into your computer could result in severe consequences. As a penetration tester, I hoped those who became victim to the exploit would learn a valuable lesson. Since then, my company has performed hundreds of similar tests, tempting users with USB devices in numerous ways. Needless to say, the results were always interesting.

As users started to become educated about rogue USB drives, we changed the rules by purchasing memory sticks branded with their company name and logo. Sometimes we attached them with a lanyard also printed with the corporate insignia. In some cases, we placed them on the desks of individual users, and in other instances, we physically mailed them to the individual. In all scenarios, users still plugged the devices in and ran whatever exploit we stored on the drive. 

Read how it all started when Steve Stasiukonis, in 2006, turned a socially-engineered thumb drive giveaway into a serious internal threat. The piece was one of the most popular reads in Dark Reading history.

When our ability to place devices in the hands of users became a problem we focused on different delivery methods. Rather than trying to drop them on their desks or mail them to users, we shipped bulk packages. In some cases, we sent hundreds of corporate-branded USB memory sticks to targeted departments within a company. We would often place a note in the package, instructing the recipient that these devices were approved by the information technology department and should be distributed to all employees. In almost every instance, they always complied with our request. 

One particular test was very interesting. Our client had been monitoring two packages that had been unopened for several weeks. We shipped one parcel to his West Coast operation and another to his office in the east. 

Our client’s frustration would soon be replaced by panic. I called him to get the status on the West Coast parcel when he explained that he could not find it. While scouring the building, he entered the commissary to see almost every employee wearing our poisoned USB devices and customized lanyards around their necks. Like a mad man, he started going from person to person, tearing them off. 

When I asked about the East Coast package, our client indicated the situation was worse. His East Coast counterpart was watching that package and noticed it had gone missing. They investigated the disappearance, and learned the marketing group had taken our poisoned parcel of USB devices to a well-known industry trade show as free swag for their booth. Fortunately, everything was collected before the attendees of the show were given any of the infected trinkets.

Our social engineering testing began to morph into a physiological experiment. As users clicked on our poisoned thumb drive content, we began displaying a command prompt indicating, “You should not have done that.” Within the prompt, we would also display their IP address, machine name, user name, and our signature logo of a skull-and-cross keyboards. The content displayed would also be sent to the IT department. Our goal was to see if they would call IT in hopes of admitting they had done something that could be a problem for their employer. 

Our results were surprising. We learned that users in a variety of company positions rarely ever called IT about our message. We also found they would repeat their actions. In one case, a VP at a major company clicked on our exploit multiple times to display our message, yet he never called IT!  When the opportunity prevailed, we asked users why they didn’t alert IT.  Only one answer seemed to be genuine. The user responded by saying, “As long as the machine seemed to be functioning fine, why should I bother calling IT?" 

Our user’s honest comment was frightening, but made sense. Why get a tongue-lashing by IT for not following policy if everything was OK? Clicking without consequence clearly has been learned by users.  Although with a plague of CryptoLocker malware becoming more and more prevalent, I suspect this behavior will be changing quickly. Unfortunately, the poor IT guys will be forced to deal with the burden of restoring users machines from backups, or converting dollars to Bitcoin to meets the capture demands.

Related Content:

 

 

Steve serves as president of Secure Network, focusing on penetration testing, information security risk assessments, incident response and digital investigations. Steve has worked in the field of information security since 1997. As a part of that experience, Steve is an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
pdembry950
100%
0%
pdembry950,
User Rank: Apprentice
5/10/2016 | 12:01:14 PM
I will resist the temptation
"...how plugging something into your computer could result in severe consequences." I am not going to take the bait and make a joke about this. No not going to do it even though I have several friends who have plugged something into somewhere and have suffered severe mental and financial consequences :-)!
BertrandW414
100%
0%
BertrandW414,
User Rank: Strategist
5/10/2016 | 2:56:30 PM
Re: I will resist the temptation
... and to go down the path you started: "STD" could also stand for "Software-Transmitted Disease"! :-)
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
5/10/2016 | 4:21:55 PM
USB (flash) from the past
It's striking that this social engineering ploy still works so well, a decade later. But I guess that's true of most social engineering exploits, and that's the scariest part.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/11/2016 | 8:44:15 AM
Too afraid
Alas, behold my tale of woe.  My living quarters and office are filled with USB drives from conferences and whatnot that I'm simply too afraid to use.  :p
Forkeded48
50%
50%
Forkeded48,
User Rank: Apprentice
5/11/2016 | 4:40:00 PM
USB Way
Thanks for this very interesting article. Plugin something to your computer is always dangerous because of the numerous virus.
nouvomarketing
50%
50%
nouvomarketing,
User Rank: Apprentice
5/24/2016 | 1:23:13 PM
Old Computer Lab..
My old computer lab in college got hit with a virus. Everybody in the department had their information on usb drives. So, everybody would plug in their usb drives at least once a day. Plus, going around to countless other computers. It was just a matter of time.. The social experiment sounds fun though. Can you buy "poisoned" usb's.. :)
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25329
PUBLISHED: 2021-03-01
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previousl...
CVE-2021-25122
PUBLISHED: 2021-03-01
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request...
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.