FBI Warning: Scammers Mailing USB Drives to Unsuspecting Victims
Traditional advice regarding scams has been to watch for suspicious emails, texts, websites, and other threats that arrive via electronic means. Computers, tablets, and phones have been the primary gateways that hackers use to gain access to sensitive information and financial data.
New techniques are regularly developed by scammers, including the strategic placement of infected USB drives near their targets in the hopes that an unsuspecting user will attempt to use the drive on a company computer.
Recently, the FBI sent out an alert that an Eastern European cybercriminal group by the name of FIN7 has begun using a new strategy. Instead of relying on luck or chance for a target to grab a thumb drive off the ground, a waiting room chair, or some other strategically picked location, they’re sending drives directly to their marks in the mail.
Reports of these drives arriving began in August of 2021. The FBI has identified some consistent patterns regarding the packages intended to scam businesses.
First, the packages arrived via the US Postal Service and United Parcel Service. Second, the drives are of the Lily GO brand. Third, the packages claim to be from either the US Department of Health and Human Services (HHS) or Amazon.
In the case of HHS marked packages, the contents include COVID-19 guidelines along with the thumb drive. For Amazon-marked packages, the contents are a “thank you” letter, a fake gift card, and the thumb drive containing malicious code.
The BadUSB Attack
The way the USB drives allowed the hackers to take over computers was by using what’s known as a BadUSB attack. As soon as the drive is plugged into a computer, it pretends to be a keyboard and begins executing specific preconfigured keystrokes which run PowerShell commands.
These commands download malware that gives the hackers complete access to their target’s computer systems. They work instantaneously, too, installing themselves on a computer’s hard drive the second they’re plugged in.
The FBI told The Record that “[The] FIN7 actors then used a variety of tools — including Metasploit, Cobalt Strike, PowerShell scripts, Carbanak, GRIFFON, DICELOADER, [and] TIRION — and deployed ransomware, including BlackMatter and REvil, on the compromised network.”
The Bad Actors in Question
Regarding the specific hackers the FBI has identified, FIN7 has been accused by the US Justice Department of widespread credit card theft from American restaurants and hospitality businesses, as well as the theft of billions of dollars from companies around the world.
Even with some members of FIN7 being caught and prosecuted, the group is still widely successful with its attacks, boasts a large membership, and is highly organized.
In fact, this round of mailed USB drive scams is not the first for FIN7. The FBI reports that the group tried the same tactic in February of 2020, targeting a hospitality company with fake Best Buy gift cards and thumb drives.
The group also targeted a US defense industry company in November of 2021 using the Amazon-themed package.
This is not to say that there haven’t been successes in catching up to FIN7 members. In April of 2021, one of three Ukrainian men accused of being high-ranking members of the FIN7 group was sentenced to 10 years in prison by a US judge.
In a strange twist, the FIN7 hacker group apparently operated a front company that purported to offer cyber security services.
In reality, the group reportedly used this front to recruit new members. The new members are highly trained, and the group employs tactics such as calling recipients of their packages or emails to see if they’ve gone through the right steps that ultimately give the hackers access.
Though the attacks are sophisticated and using mail to send nefarious packages gives them an air of legitimacy not found in spoofed emails, there is an advantage that law enforcement has gained.
Physical mail provides more opportunities for physical evidence. The FBI and other law enforcement agencies are urging recipients of such packages to preserve them as carefully as possible. They may contain clues such as fingerprints that can lead authorities to capture these criminals.
Traditionally, hackers rely on digital means to gain access to their targets’ data.
Phishing emails, links to malware-ridden websites, and even social hacking methods such as pretending to be a coworker or vendor through texts, phone calls, social media, and BEC (business email compromise) attacks can be difficult to trace without the right tools.
By using physical means to carry out scam attempts, hackers are exposing themselves to means of tracing they may not be adept at thwarting.
Unfortunately, images of the specific packages being received can’t be shared. However, companies based in the US can find the FBI alert at the InfraGard Portal. InfraGard is a partnership between the FBI and the private sector which is intended to spread education about emerging hacking threats.
While employees may think that cybersecurity is the job of IT support and cyber security experts, it’s up to everyone in a company to be on guard in the face of hacking attempts. The more educated everyone in a business is about where scammers can infiltrate, the fewer successful hacks that can occur.
The other important thing to remember is that just because groups like FIN7 try new techniques, this does not mean they will abandon older methods.
FIN7’s previous methods, the ones that netted them billions of stolen dollars, are still highly effective. Their most successful method, as outlined by the FBI, involves four steps:
1. Identifying Targets
The reason FIN7 aimed its efforts at the hospitality and restaurant industries is that these businesses have a high frequency of point-of-sale transactions. This frequency gives the hackers a lot of data regarding routine communication methods.
2. Social Engineering
Once the hackers understand who’s in charge of specific operations at a company, they begin sending spear-phishing emails. These emails are meant to look like they’re coming from an innocent source but contain malware or ransomware.
After a phishing email or other hacking attempt has been successful at uploading malicious code into a company’s network, the hackers begin surveilling employees and gathering credentials to take them deeper. Once the point-of-sale system is identified, consumer information, such as credit card information, is taken.
4. Selling Data
Now that the hackers have consumers’ sensitive financial information, they’ll sell the data. These transactions occur in underground marketplaces online. Those who purchase the stolen information then rack up fraudulent charges.
The FBI claims that FIN7 has been operating with these techniques since 2015. Affected businesses include Chili’s, Arby’s, Chipotle, and more. Because the hackers are adept at identifying the specific employees they want to target/spoof, their attacks continue to be successful.
Whether they send physical drives or use phishing emails and texts, there are enough people who are fooled by these tricks that hackers still use them.
Technology changes rapidly. Employees need to be trained on new techniques to stay safe and be informed about which pieces of advice are outdated. Particularly for companies that have to meet compliance requirements. For example, the advice used to be that opening an email was safe, but the attachment was the real danger.
Now, malicious code can be found in the body of an email, so even if an employee ignores the attachment, the email itself can give hackers access. The advice has had to change to explain that suspicious emails shouldn’t even be opened, let alone have their attachments downloaded.
Hackers are highly aware of which techniques are working and which are not. They also know that employees and staff are being trained to spot their attempts. As time goes on, scammers are trying to be more subtle so that they don’t get found out, or at least don’t get found out until it’s far too late.
This approach has led to hackers going beyond a one-time theft, instead trying to stay hidden and cause damage slowly enough not to be noticed. In some cases, they can stay working behind the scenes for years without alerting their targets.
Lying in Wait
Perhaps the most concerning aspect of such hacking attempts is how long it can take before a successful attempt is recognized. Take, for instance, the Stuxnet worm that existed inside the computers that controlled some of Iran’s nuclear reactors.
From as early as 2005 all of the way to 2010, this computer worm went undetected. Israel’s Mossad spy agency was supposedly behind the attack, and it represented the first time that a computer virus was able to damage infrastructure.
The way that Stuxnet made it into the computers in the first place was most likely phishing emails, which led to compromised security credentials. This technique is still in use over ten years later and shows no signs of slowing, even with new techniques such as physically mailing USB drives to victims.
The Stuxnet example serves as a reminder that even when there are no obvious signs of problems upon inserting a strange USB drive into a workstation, there still may be a virus that was just unleashed.