Don’t plug in that free Microsoft Office USB drive you got in the mail(pcworld.com)
pcworld.com
Don’t plug in that free Microsoft Office USB drive you got in the mail
https://www.pcworld.com/article/833790/free-office-scam-uses-usb-drive-sent-through-mail.html
37 comments
Wow. I expected that it would install a keylogger or something, but this is so low tech that I'm both impressed and disappointed. Impressed because it's (a) so elaborate for what it is, (b) it's cheaper than procuring an actual virus, and (c) it is supported by existing scam infrastructure. Disappointed because I expected some exciting new attack vector.
Yeah like, I see that it's cheap to run those scam ads on fishy websites and just wait until someone is tricked into calling, or run a robocaller and wait until someone presses 1.
But having all this designed, ordered, packaged and shipped, just so maybe the receiver calls seems way too much effort. How does this scale? I'd see this make sense for targeted attacks, but like this? Wow.
But having all this designed, ordered, packaged and shipped, just so maybe the receiver calls seems way too much effort. How does this scale? I'd see this make sense for targeted attacks, but like this? Wow.
I don't really see the design or packaging as an issue, after all that can be done for cents apiece in high volume productions. But the USB drives are definitely interesting. Even when ordered in large batches from cheap chinese manufacturers, they will probably cost a dollar per drive. So if you send that to 10k people, you have to expect a very high payout. The approach is certainly more effective than a spam mail, but then again sending an email costs several orders of magnitude less. So I wonder if this is really orders of magnitude more likely to capture people. Perhaps with strong pre-selection.
$1 per drive for how much storage? I’m sure these don’t even need a single Gig. Probably could get lots of super cheap ones during liquidation events or salvage operations and what not.
I just looked it up: Even if you accept less than 1 GB you'll have a hard time finding drives below $3. The USB controller chip alone is about $1 and you need some actual storage and a casing as well. Even if you're really proficient at acquisition and manage to get them for 10% of that price, it's still orders of magnitude more expensive than email based spam.
> ...USB controller chip alone is about $1...
That's for official parts and at lower quantities I presume. Knock off chips are often pennies, especially at scale. When I buy chips for side projects, I often just source them from ebay/alibaba where you can get them for ridiculously cheap prices. [1][2]
> ...it's still orders of magnitude more expensive than email based spam.
Relative to how much they drain from elderly folks retirement accounts, I think it's a logical investment for them given that existing scammer tactics are being made obsolete.
In any case, I just checked Alibaba and found several listings [3][4] that claim ≤50¢ at scale. They look rather professional and you could even brand a logo on them.
1 - https://www.ebay.com/itm/392526892417 (USB - Serial converter, NOT a USB drive IC)
2 - https://www.ebay.com/itm/392540419491 (power bank chip)
3 - https://www.alibaba.com/product-detail/Usb-Drive-Usb-Drive-L...
4 - https://www.alibaba.com/product-detail/Cheap-customized-Logo...
That's for official parts and at lower quantities I presume. Knock off chips are often pennies, especially at scale. When I buy chips for side projects, I often just source them from ebay/alibaba where you can get them for ridiculously cheap prices. [1][2]
> ...it's still orders of magnitude more expensive than email based spam.
Relative to how much they drain from elderly folks retirement accounts, I think it's a logical investment for them given that existing scammer tactics are being made obsolete.
In any case, I just checked Alibaba and found several listings [3][4] that claim ≤50¢ at scale. They look rather professional and you could even brand a logo on them.
1 - https://www.ebay.com/itm/392526892417 (USB - Serial converter, NOT a USB drive IC)
2 - https://www.ebay.com/itm/392540419491 (power bank chip)
3 - https://www.alibaba.com/product-detail/Usb-Drive-Usb-Drive-L...
4 - https://www.alibaba.com/product-detail/Cheap-customized-Logo...
Half a dollar is still orders of magnitude more expensive.
Quote: "You plug the USB drive into your PC and it immediately tells you that you have a virus, and you need to call “Microsoft Support.”"
Well, that's a badly configured PC then. Stop having AutoPlay enabled and this won't happen. Then next step is to format that USB drive and voila!, free thumb drive.
Well, that's a badly configured PC then. Stop having AutoPlay enabled and this won't happen. Then next step is to format that USB drive and voila!, free thumb drive.
Honestly, if the victim thinks it's legitimate and they've plugged it in, autoplay being disabled is no big deal to the attacker, chances are, they're going to double-click the setup.exe/install.exe anyway...
You haven't heard of BadUSB?
Don't plug in untrusted USB devices.
Don't plug in untrusted USB devices.
Yeah, I heard. Still the case of a badly configured device.
Remember kids, it's a software driver configuration. Show me that BadUSB that works on the dumb DOS operating system. No? Yeah, didn't think so. Only "clever" OS'es are pwned by this, and if you dumb them down then nothing gets to run automatically.
Remember kids, it's a software driver configuration. Show me that BadUSB that works on the dumb DOS operating system. No? Yeah, didn't think so. Only "clever" OS'es are pwned by this, and if you dumb them down then nothing gets to run automatically.
BadUSB or similar could be setup to work on DOS if the system firmware does USB keyboard mapping. You can do copy con foo.exe or something with debug, and then stream the executable you want to run, then run it. A bit more work, and there's no standard networking and all that, but it's doable if you really want it done; but you'd need a target to make it worthwhile.
Sooo... we go back to my initial point of a "badly configured system"?
Well, most of my recent computers don't have an option for keyboards that's not USB. But a system with no inputs is probably the most secure you can get.
You can also hotglue unused ports and physically prevent unplugging the intended devices. But that's not realistic for most systems.
You can also hotglue unused ports and physically prevent unplugging the intended devices. But that's not realistic for most systems.
It's the old usability vs security compromise.
Any DOS is susceptible to Bad USB emulating a keyboard if the BIOS supports USB keyboards.
Autorun/autoplay are only one possible vector for attack. No matter how well configured your device is it can still be destroyed by an electrical attack where a bad USB device charges capacitors and then zaps your device. Got it boomer?
Or USB Killer... Although there's generally no financial incentive for an attacker to mail you a USB Killer.
Like with most DoS style attacks it's mainly vandalism. Though an online DoS could be used for market manipulation at the right time, it usually isn't.
I think you missed the point of the scam.
If someone thinks they just got a free copy of Office, and is willing to plug the USB drive in, then they're also willing to run the 'Setup.exe' on it, too.
If someone thinks they just got a free copy of Office, and is willing to plug the USB drive in, then they're also willing to run the 'Setup.exe' on it, too.
I am curious what's on that USB stick. Is it a flash drive/HID thing like a rubber ducky that types something in to run a payload?
Or, just bad phrasing on the article?
Or, just bad phrasing on the article?
Autorun.inf plus some html file or simple app displaying a msgbox.
I thought Autorun was no longer a thing since Vista or so.
I thought plugging a thumb drive in can deliver malware without opening files.
Something about full memory access before block level … or is that PCIe?
Something about full memory access before block level … or is that PCIe?
USB doesn't have implicit DMA (Direct Memory Access), so it can't install malware on your computer without getting past your operating system. (Though just enabling autoplay will do the trick - and I have no idea whether thats turned on by default these days.)
Firewire used to have DMA access via how the port was physically wired, but afaik it was fixed before being phased out. Thunderbolt also gets access to the PCIe bus (and also by extension, DMA). I'm not sure what the security situation is there.
As others have mentioned, USB devices can also do physical damage to your computer if they want to, by charging a capacitor over a few seconds then discharging it all at once.
Its generally a bad idea to plug mystery USB devices into your computer.
Firewire used to have DMA access via how the port was physically wired, but afaik it was fixed before being phased out. Thunderbolt also gets access to the PCIe bus (and also by extension, DMA). I'm not sure what the security situation is there.
As others have mentioned, USB devices can also do physical damage to your computer if they want to, by charging a capacitor over a few seconds then discharging it all at once.
Its generally a bad idea to plug mystery USB devices into your computer.
> Thunderbolt also gets access to the PCIe bus (and also by extension, DMA). I'm not sure what the security situation is there.
There is support for having the user authorize the device before logically connecting it to the rest of the system; see e.g. https://wiki.archlinux.org/title/Thunderbolt#User_device_aut...
It would not surprise me if this does nothing, because firmware implements it poorly, and/or because users click OK on everything.
There is support for having the user authorize the device before logically connecting it to the rest of the system; see e.g. https://wiki.archlinux.org/title/Thunderbolt#User_device_aut...
It would not surprise me if this does nothing, because firmware implements it poorly, and/or because users click OK on everything.
Device authorization for PCIe tunnels is TB3+ feature, older versions are out of luck.
The situation with firmware is not that bad, though. There are exactly two of them, Intel and Apple. Apple devices have the Apple implementation and the rest of the world Intels.
On capable hardware, IOMMU is also used (for all security levels).
The situation with firmware is not that bad, though. There are exactly two of them, Intel and Apple. Apple devices have the Apple implementation and the rest of the world Intels.
On capable hardware, IOMMU is also used (for all security levels).
The grifts are certainly getting more elaborate
Wouldn’t enough disputed charges result in the credit card processor blacklisting this merchant?
I would think a better scam to be selling fake av software in this scenario.
I would think a better scam to be selling fake av software in this scenario.
Malware with a strong command-and-control network will be able to change the merchant.
Additionally, this blacklisting effect can be used strategically to target business you don't like by using the malware to perform a false-flag attack.
Additionally, this blacklisting effect can be used strategically to target business you don't like by using the malware to perform a false-flag attack.
They probably use the card number to buy stuff from legitimate online stores, e.g. gift cards, to ensure that the transaction is hard to reverse/they get to keep their "winnings" even if the CC company does a chargeback.
This makes me wonder if anyone ever leveraged an America Online CD for malware.
Depending on your definition of malware...AOL?
Wow, that is an excellent social engineering method.
Brilliant, but arguably not as brilliant as selling idiots grey market keys on StackSocial or SlickDeals for $30, which appear to activate but aren't legitimate for individual sale.
Hint: If you didn't pay out the a** for it, it's not a legit Microsoft product key.
Hint: If you didn't pay out the a** for it, it's not a legit Microsoft product key.
I just use LibreOffice instead of MS-Office. https://www.libreoffice.org/
I am not a big fan of MS-Office being forced software that takes over Windows and activates a key online and steals info on the user.
I don't use Office at home (I use Sandstorm apps instead), and I've convinced a few folks to use LibreOffice instead of paying for new Office versions recently, but I still deal with Microsoft licensing pretty regularly, so the prevalence of grey market keys on deals sites is of great irritation to me.