Cyberattacks Delivered By Your Mail Carrier

A group called FIN7 has been using a novel method to target victims.  The attack is delivered through USPS mail, the kind that’s delivered into the real mailbox. 

The target gets a package in the postal mail containing a message that appears to be from Best Buy.  The package contains a letter thanking the victim for being such a good customer, a gift card and/or a teddy bear, and a USB stick supposedly containing a list of special gift items.  When the target inserts the USB into a Windows computer, a message pops up saying that the USB device has malfunctioned. The target may then take the stick out, throw it away, and play with the teddy bear.  By the time the device has been removed, it’s too late. This stick actually contains a USB keyboard emulator and has been injecting commands into the system. The computer has already downloaded a malicious script that is gathering information about the computer to send back through the Internet to its controller.  The script then also downloads more malware. 

This attack, unlike most purely IT-based attacks, costs the attackers some money for postage, USB camouflaged keyboards, gift cards, and teddy bears.  The FIN7 group has historically been attacking the commercial industries, so some investment is worth the chance of success.  

While it seems unlikely that UMBC will be a target, please do not use any USB stick, or anything that looks like a USB stick, unless you trust the source.  The best source is an unopened package that you bought yourself.

If you receive any USB devices that you are suspicious of or have any questions about strange computer related activity, please contact us at security@umbc.edu.

Links for more information:

• https://securityaffairs.co/wordpress/100661/cyber-crime/fin7-usb-teddy-bears-attacks.html

• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/