The gesture seems so thoughtful. A package apparently from the Department of Health and Human Services is sent to a workplace, with a note saying the USB drives inside have important information about COVID-19 guidelines. Or an Amazon "decorative gift box" arrives, containing a thank-you note, a bogus gift card, and a USB drive, the FBI says. But the gifts actually are from a group of hackers that calls itself FIN7, Gizmodo reports. Anyone who uses the drive can end up with a malware-infected computer or become the victim of a ransomware attack.
An FBI advisory says the Eastern European group has used the drives to try to hack American transportation, defense, and insurance companies, per CNN. The FBI has been on the trail of FIN7 for years. The Justice Department says the hackers have stolen millions of credit card numbers from restaurant and hospitality chains in 47 states. The existence of physical evidence could yield information usually not available in a cyber investigation. The FBI asks anyone who receives such a package to "handle it with care to preserve DNA and fingerprints that may be obtainable from the package."
The scam is a more targeted version of the "drop"; studies have found people will stick a free or found USB drive into their computer. Researchers once placed about 300 drives, with various labels on them, around campus at the University of Illinois Urbana-Champaign. The first drive was in use in someone's computer in six minutes, per Mic. Almost half of the 300 drives were picked up and used. The project showed the importance of educating people on the risk of using an untrusted drive, a researcher involved in the study said. (Read more hackers stories.)