Malware-infected USB sticks posted to Australian homes

  • Published
A pair of USB sticks like those left in residents' letterboxesImage source, State of Victoria Police
Image caption,

The unmarked USB sticks could infect computers with harmful viruses, Victoria police warned

USB sticks containing harmful malware have been left in Australian letterboxes, police in Victoria have warned.

Residents of Pakenham, a suburb of Melbourne, have reportedly found the unmarked sticks in the boxes.

Plugging them into a computer triggers fraudulent media-streaming service offers, as well as other malware, the force said in a statement, external.

The devices are "extremely harmful" and should not be used, police say.

It is not uncommon for USB sticks to be used to carry and transmit destructive malware and viruses to computers.

Cybersecurity experts have called the technology "critically flawed", and in 2014 demonstrated to the BBC how any USB device could be used to infect a computer without the user's knowledge.

Berlin-based researchers Karsten Nohl and Jakob Lell said a device that appeared to be completely empty could still contain a virus.

Image source, ROSLAN RAHMAN
Image caption,

USB sticks store files and other information to transfer data between devices

Stuxnet, one of the most sophisticated known pieces of malware, was deployed to attack Iranian nuclear centrifuges. It is believed to have been carried on an infected USB stick.

The virus infected the internal network of computers running Windows, and attacked Siemens industrial control software in order to over-ride the system.

Andrew Tierney, consultant at cybersecurity firm Pen Test Partners, said the use of infected USB sticks to target households was very rare.

"However, it's still a common form of attacking businesses, where the gains are much greater," he said.

"Most cybercriminals are looking for volume, so it's much easier to get hold of people's information by phishing. It's unclear whether the devices were sent in the post, but putting a USB stick in someone's letterbox by visiting the property and potentially getting your fingerprints on them creates a much greater risk of getting caught."

The University of Illinois conducted an experiment earlier this year, dropping 297 USB drives around its campus. Had the sticks been infected, the attack would have had an estimated success rate of between 45% and 98%, the study found, external.

"You'd be surprised at how many people would fall for plugging an unknown USB stick into their computer. Some users may become distrustful at the stage only when the software asks them to download a program, but Word files can still be harmful," said Mr Tierney.