It seems as though hackers never sleep, as they are always devising new ways to sneak into systems and target businesses. One of the more recent attacks is the Thumb Drive Scam, and it was a successful one for many criminals. The FBI issued a warning about it early in 2022. This scam is a bit more unusual – instead of the hackers infecting hardware, software, or a network from a remote location, this time they sent out gifts.

Have You Received a Suspicious Package?

According to the FBI, the well-known cybercrime group FIN7 has been sending out seemingly innocuous gifts to US companies since 2021. The gift packaged is cleverly disguised, too – it appears to be sent from Amazon or the U.S. Department of Health & Human Services, delivered either by UPS or the USPS. Inside, there are Lily Go USB flash drives and letters with COVID-19 guidelines or Amazon online gift cards. If you have received something like this, do not put the flash drive into your computer and do not attempt to redeem the gift card.

These flash drives contain malware, and once plugged in a BadUSB attack gets triggered. This spreads REvil and BlackMatter ransomware to computers. Once the thumb drive goes in, the BadUSB masquerades as a keyboard device. If you’re not familiar with ransomware, it is malware that threatens to steal and block access or publish personal data unless the firm pays out a ransom. Some only lock up systems, but others do that and damage files as well. It is basically a form of blackmail.

Why Does the Thumb Drive Scam Work?

The hackers have already penetrated segments of the defense and transportation industries but like other cyber criminals, this group surely has other targets. The Thumb Drive Scam worked because everyone likes to accept gifts, and the ones that seemed to be from Amazon also had fake gift cards and thank you notes. Those who received them were probably excited to see what was on the thumb drives, and inserted them into their computers without thinking twice.

The packages that appeared to be from the U.S. Dept. of Health & Human Services employed a different tactic; they played up the recipient’s fears of COVID-19. The thumb drive and enclosed message seemed legit, so employees felt they should access the information to protect themselves. Arctic Wolf compares these two scams to “the Trojan horse entering the walled city.”

Who is to Blame for These Security Breaches?

You might be quick to blame all the employees who opened up these packages but besides the hackers, the real fault lies with employers. Workers have to be trained about cybersecurity best practices, including how to recognize threats.  And since people quickly forget things that they learn, it is best to have meetings or training at least once a month; this is the time to alert them of the latest scams and developments. Keeping them engaged in this way will show that the organization prioritizes cybersecurity, and will help them remember what is so important.

Teaching workers to always be skeptical about every email, link, text, phone call, and package they receive is a key aspect of  this kind of training. They can be taught to question all of these messages, even if they are familiar with who it is being sent from (or who they think it is from). 

Hackers know how to disguise their contact information and can easily trick unsuspecting employees. Beyond the Breach shares a video about the Thumb Drive Scam, and this and similar ones can be shared with all of your staff when alerts are sent out.

Need more help getting your staff ready to avoid this sort of problem? TAG Solutions provides complete IT management services, including employee training and threat detection and resolution. Call us or submit our online form today to learn more about how we can help you protect your company from hackers.


Contact Us Today!

simple contact form

"*" indicates required fields

This field is for validation purposes and should be left unchanged.