Social Engineering the USB Way
Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. discusses an interesting project his firm had with a credit union customer. The client had stated that USB drives were a concern, so they decided to load a Trojan onto a few USB flash drives and plant them int he parking lot. Within a short amount of time the Trojan had infected several computers and was transmitting data from credit union computers to a remote anonymous email account. They did not use any of the U3 drives to autorun the Trojan, but instead used a little bit of social engineering by making the icon look like a photo, this making the user think they were double clicking a JPG image.
I have been to several banks and credit unions and have been surprised how many USB ports are open to me. In fact once I sat at a desk where the system was on the desk with the back of the computer and its USB ports 1 foot away from me. He got up to go get something he had printed…in thate brief minute I could have plugged in the USB drive on my keychain and injected a Trojan or other malicious bit of code. Banks, credit unions and IT staff in general really need to rethink their endpoint security strategy.