New Year, Same Scams

Now that the holidays are over, we don’t have to worry about any more Amazon scams, right?

Oh how I wish that were true.

Now we’re back to regular-old types of scams, no longer going based on the holidays.

One of the more concerning scams making the rounds right now was first seen about 18 months ago.  It’s resurfaced several times during the Covid pandemic and most recently, the FBI put out a bulletin alerting people about the latest iteration of the scam.  (link to bulletin at the end of the article)

Here is the scenario. A package arrives via USPS or delivery service and inside the box is a $500 Amazon gift card, a USB stick and a note that says something to the effect of, “We’re grateful for you being a loyal customer. We want to send you this $500 gift card, this USB stick contains a list of goods that you can choose from.”

Because this is a column about another scam, it should come as no surprise to you that the USB stick contains something other than a list of fabulous prizes.  The USB stick is a Trojan horse. It is known as a “BadUSB” or “Bad Beetle USB” and if it is plugged into a computer, a series of programs will run that injects a set of keystrokes to download and execute several types of malware.

The malware may contain a keystroke logger where the websites you visit and the IDs and password you use to login will be logged and sent back to the Bad Actor. This is commonly used in Financial Services or banking and credit card attacks. There may also be data extraction and data encryption malware to hold your information ransom and move it off of your computer or your network to be sold on the dark web, usually both will happen at the same time.

These USB sticks are for sale on hacker sites and commonly have “LILYGO” printed or embossed on the stick itself.  However, that is not the only type of USB stick used, so avoid plugging in a USB stick from an unknown party.

As a general rule, we limit the ability of USB sticks to be able to run any software (or even be used) in our managed customer’s environments because it is such an easy and common way of delivering malware and compromising computer systems and entire networks.

Additionally, if you receive a gift of a USB stick from a friend or vendor and there is a note that states you need to use this specific gift card only on the items that are listed on this USB stick, be very suspicious.  Companies that provide gifts to their customers where the customer can choose what they would like to receive tend to do this via an online store. A customer would most likely be sent to a website to choose a gift. If you are given an Amazon gift card, you are usually able to purchase anything you’d like from Amazon, that is the point of a gift card.

The coupling of a gift card that can only be used to get things that are listed on a USB stick should be highly suspect.

Finally, if you get a gift, it’s always nice to say thank you. Contact the company that sent it to you and confirm that this is a real gift, from them, that has been sent.

If you do receive this type of package in the mail or via other delivery service, retain all the contents and packaging with any mailing or markings with delivery information or tracking information and return address information. If you have your IT security professional analyze the USB stick, retain any forensic findings or report or additional information that is derived from that investigation.  And if the device is plugged into a computer, it is best to retain the machine, intact and powered down to that a full memory capture of whatever was on that computer can be made. You will need a full forensic image of the victim computer before any remediation is done, especially if an cyber insurance claim is filed and a report is made with the federal authorities.

There are tools that IT security professionals use to analyze what type of information is being sent off network or has been encrypted and log files of actions taken. 

In the link below is the FBI alert which has some recommended remediation steps and information that is requested if they are contacted. Please keep in mind, it is a complex process to remediate these types of attacks.

I recommend if you or someone in your household or office has inserted one of these USB sticks into their machines and remediation is necessary, engage with an IT security professional.

Oh, and in case you were wondering, perhaps the worst part of all, the $500 Amazon gift card is just a printed piece of plastic with no dollar value associated with it.

Again, please do not plug the USB stick into the computer. And if you do contact us right away and we’ll try and assist.