WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2025 Poal.co

Hackers Have Been Sending Malware-Filled USB Sticks to U.S. Companies Disguised as Presents The "malicious USB stick" trick is old but apparently it's still wildly popular with the crooks.

Friendly-looking USB sticks are a vector for malware distribution as old as the internet itself and, apparently, they’re still quite popular with the criminals.

On Thursday, the FBI warned that a hacker group has been using the US mail to send malware-laden USB drives to companies in the defense, transportation and insurance industries. The criminals’ hope is that employees will be gullible enough to stick them into their computers, thus creating the opportunity for ransomware attacks or the deployment of other malicious software, The Record reports.

The hacker group behind this bad behavior—a group called FIN7—has gone to great lengths to make their parcels appear innocuous. In some cases, packages were dressed up as if they were sent by the US Department of Health and Human Services, with notes explaining that the drives contained important information about COVID-19 guidelines. In other cases, they were delivered as if they had been sent via Amazon, along with a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB,” according to the FBI warning.

This little scheme appears to have been going on for at least several months—as the FBI says it originally began receiving reports about such activity as far back as last August.

Hackers Have Been Sending Malware-Filled USB Sticks to U.S. Companies Disguised as Presents The "malicious USB stick" trick is old but apparently it's still wildly popular with the crooks. Friendly-looking USB sticks are a vector for malware distribution as old as the internet itself and, apparently, they’re still quite popular with the criminals. On Thursday, the FBI warned that a hacker group has been using the US mail to send malware-laden USB drives to companies in the defense, transportation and insurance industries. The criminals’ hope is that employees will be gullible enough to stick them into their computers, thus creating the opportunity for ransomware attacks or the deployment of other malicious software, The Record reports. The hacker group behind this bad behavior—a group called FIN7—has gone to great lengths to make their parcels appear innocuous. In some cases, packages were dressed up as if they were sent by the US Department of Health and Human Services, with notes explaining that the drives contained important information about COVID-19 guidelines. In other cases, they were delivered as if they had been sent via Amazon, along with a “decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB,” according to the FBI warning. This little scheme appears to have been going on for at least several months—as the FBI says it originally began receiving reports about such activity as far back as last August. [Read More](https://gizmodo.com/hackers-have-been-sending-malware-filled-usb-sticks-to-1848323578)

(post is archived)

[–] 2 pts (edited )

When personal computers were first unleashed onto the public, there was an atmosphere of transparency and people were actually encouraged to learn about them. HTML was even taught in the schools for a while. Does anyone remember My Space? People actually shared and exchanged open code snippets to customize their pages. Then along came Big Tech to shut that all down and launch a huge campaign to make computers and the internet more "user-friendly." Nowadays people are so dumbed down that all they can do is click and drag. Disabling autoplay and wiping a new USB stick clean of malware before using it should be a common practice, but instead people are easily fooled, blindly accepting pre-installed software that makes the device "easier to use."

[–] 0 pt

so without autoplay,it doesn't do jack? or can it trick bios firmware or something?

[–] 0 pt (edited )

So long as the malware is contained on the flash memory you would be able to avoid it by not mounting it or executing anything. To your point though, there could sometimes be evil stuff placed in the firmware of the USB stick which could activate as soon as it's plugged in.

[–] 0 pt

Nope, autoplay is already disabled by default on the modern computer.

The USBs use different methods. Don’t plug in any untrusted device into your computer.

[–] 0 pt

that's bs. A storage device shouoldnt be able to do jack

[–] [deleted] 1 pt

I've got one of these suspicious Chinese USB sticks in my possession. Gifted from a bugman who called itself "Johnny" when they visited my job. Man, it is ornate and detailed... they REALLY want me to plug this thing in to one of our work PC's.

I went around with a wastebasket and collected everyone's USB stick from China. Nobody was allowed to keep them, luckily I got to them all in time before one got plugged in. Surprisingly, many people were already suspicious of it and tossed it... but I still had to dig it out of their trashcan. I had to physically see each one go bye-bye. I keep one as a souvenir at home.

[–] [deleted] 1 pt

Who'd be dumb enough to plug unvetted flash into their PC? Even when friends hand me a drive, it goes into an isolated system first. Also, never buy cards or sticks from eBay or Amazon; brick and mortar stores only.

[–] 0 pt

The average office worker has no clue about how the magic works inside their box. Most people know just enough to do their jobs and call help desk.

[–] 1 pt

Now Im curious whats on it, find a old air gapped pc and plug her in.

[–] 1 pt

Some Chinese guy gave a USB stick with his ‘resume’ on it, to my wife’s boss about ten years ago. He plugged it into his work PC, which let these fuckers into their network. They work at a biotech firm that was trying to develop a cancer drug.

The chinks lurked unnoticed until the day my wife had to wire transfer 6 million dollars. Then she began getting emails from the ‘recipient’ that was telling her to change the usual routing number. She emailed her boss about this but it was the chinks she was really talking to. She was told the routing number change was fine. She was about to do it, but it didn’t feel right. She went to lunch and when she got back she had a bunch of emails from her ‘boss’ asking why she hadn’t sent the funds. Their impatience fucked them, because her boss didn’t have the software to see financials. She began calling folks on her cell and discovered none of them had been talking to one another via email. They had to hire some power nerds to get these chinks out of their system. They determined it was that USB stick that got them in.

[–] 1 pt

Doesn't intelligent crime inspire some respect though?

[–] 0 pt

Oh yeah, if they had gotten that 6 million, it would have been quite a caper. I’ve often wondered how often their successful with this scam. It almost worked.

[–] 0 pt

6 million dollars

It's anuddah shoah!

[–] 0 pt

I've gotten counterfeit USB and SD cards from Amazon "Trusted Seller"s before. Good thing I don't use autoplay, have a dummy netbook from nearly a decade ago, use Linux, and have testing softwhere to check the validity of drives. I don't order computer hardware (or really anything) from Amazon anymore.

[–] 0 pt

Chinese military, no doubt