What is USB Phishing?

The practice is also referred to as a USB drop attack or USB baiting.

How does a USB attack work?

Cybercriminals leave malicious USB drives in public places or may send them directly to the intended victim.

These drives may look harmless, but once inserted, they install malware or lead users to phishing websites that request sensitive information like passwords or financial details.

Some USB devices also employ HID (Human Interface Device) spoofing – a sophisticated attack where the device sends commands to a keyboard or mouse without the victim’s consent.

Invariably, these commands instruct the infected computer to disable its cybersecurity defences or enable remote access.

Once a victim opens what appears to be innocent files or applications, they activate malware that may:

• Steal sensitive data such as login credentials or corporate information.
• Install ransomware to lock the system and demand payment for its release, and
• Provide remote access to the attacker and allow them to control the device or network.

Why are USB attacks still effective?

The idea that USB drives would be used to infiltrate systems now seems outdated and is reminiscent of cyberattacks in the early 2000s.

This perception may have been created by the Stuxnet attack in 2010, which many see as a historical (and not contemporary) threat.

What’s more, some people are surprised that USB sticks are still relevant in the era of cloud computing and other wireless technology.

So why do these attacks still pose a security threat?

USB phishing exploits natural human behaviour, which is difficult for even the most advanced cybersecurity systems to counter.

The role of curiosity in USB phishing

People tend to be curious by nature and will insert a USB drive to explore its contents. Attackers understand this, and will even name files to pique the interest of victims.

Something else criminals understand is social engineering, which is a practice that takes advantage of human behavioural tendencies.

In the context of USB phishing, attackers exploit these tendencies to manipulate, influence and deceive victims into divulging sensitive information or relinquishing control of their systems.

The importance of curiosity was demonstrated in a 2016 experiment where 300 USB drives were left in random places at the University of Illinois.

Around 98% of the drives were picked up by students and staff and 45% of individuals opened one or more files. Curiosity was one of the main drivers, but researchers posited that individuals were also motivated by altruism and wanted to return the drives to their owners.

Increasing sophistication

As we touched on earlier, the sophistication of USB attacks has also increased.

The SOGU attack of 2023 is one such example, with USB devices preloaded with malware distributed to companies in key industries such as pharmaceuticals, IT and energy.

Such was its significance that cybersecurity firm Mandiant called it “one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals”.

The SOGU attack was also part of a broader resurgence of USB phishing in 2023. The trend was particularly detrimental for multinationals that operate in Africa where the use of USB drives is still widespread.

How can USB phishing be prevented?

USB phishing can never be prevented entirely for the reasons already mentioned, and while curiosity and altruism should never be discouraged, individuals need to exercise caution around USB devices.

Here are some measures organisations can take to stop USB phishing in its tracks.

Security awareness and simulations

Employee education on the dangers of inserting unknown USB devices into computers is essential, especially in industries that handle sensitive data like finance. Security awareness should also involve the development of a strict policy on USB device usage.

Simulated attacks that include “USB drops” can test employee awareness and strengthen their ability to identify threats​. Simulations also identify the users most likely to explore an unknown device and help the company understand where its vulnerabilities lie.

Endpoint security software

Endpoint protection software blocks malicious files that execute when a USB drive is inserted.

Software solutions are able to identify malware, trojans and hidden executable files that often form part of a USB attack. If the software identifies suspicious behaviour, it will either block the activity or alert security teams for further action.

One noteworthy feature of endpoint protection software is its device control capabilities. These allow administrators to specify which USB devices are permitted to connect to the network.

For instance, admins can specify that only encrypted, company-issued USB drives can access particular systems.

Software can also produce detailed logs of all USB activity, which helps businesses audit and track USB usage as well as identify any unauthorised devices.

USB encryption

Encryption of USB devices is a critical measure for preventing unauthorised access to data if a USB device is lost or stolen.

These drives come with built-in encryption software or hardware that encrypts data as it is saved to the device. Even if a criminal has possession of a USB drive, the data remains inaccessible without the correct credentials.

Most modern encrypted USB drives use AES-256 encryption – a near-impenetrable standard that is widely used across industries for data security.

However, encrypted USB devices (and associated software) can be expensive compared to standard devices.

Disable the AutoRun feature

AutoRun is a feature in some operating systems that automatically executes certain programs when external media (such as USB drives) are connected. The feature may also show the contents of a USB device on start-up, which further increases the likelihood of system compromise.

Attackers exploit this feature by embedding malware or malicious scripts on USB drives that run automatically. Here, the best course of action is to disable AutoRun. If this is not feasible, reinforce measures that promote USB security hygiene among employees.

Summary:

• USB phishing is a type of cyberattack where fraudsters use malicious USB devices to trick victims into either executing harmful software or visiting phishing websites to steal sensitive data.
• While many perceive USB devices to be outdated tech, USB phishing attacks remain effective and their sophistication is increasing. Attackers take advantage of natural human curiosity and have recently concentrated their efforts in areas where USB usage is widespread.
• USB phishing preys on human error and can never be eliminated entirely. However, attacks can be reduced with rather simple measures such as endpoint security software, USB encryption and disablement of an operating system’s AutoRun feature.