Crooks and cyberspies attempt to exploit any attack vector to compromise the targeted computers and the case we are going to discuss demonstrate it.
The popular security expert Brian Krebs reported that several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden compact discs (CDs).
The list of recipients that received the malicious snail mail includes State Archives, State Historical Societies, and a State Department of Cultural Affairs.
KrebsOnSecurity reported having learned that the strange mail is apparently sent from China.
“This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a “confusingly worded typed letter with occasional Chinese characters.”” reads the post published by Brian Krebs.
The attackers clearly attempt to exploit the curiosity of the potential victims that may be enticed into seeing the content of the CD.
According to the experts at MS-ISAC who analyzed the CDs, the media support contain Mandarin language Microsoft Word documents, some of which including malicious scripts.
All the letters received by the organizations appear to be addressed specifically to them.
“It’s not clear if anyone at these agencies was tricked into actually inserting the CD into a government computer.” continues Krebs.
“I’m sure many readers could think of clever ways that this apparent mail-based phishing campaign could be made more effective or believable, such as including tiny USB drives instead of CDs, or at least a more personalized letter that doesn’t look like it was crafted by someone without a mastery of the English language.”
A similar attack technique has been already observed in the wild, in September 2016 the Police in the Australian State of Victoria issued a warning to the local population of malware-laden USB drives left in letterboxes.
In August 2016, at Black Hat USA, the security researcher Elie Bursztein demonstrated the dangers of found USB drive and how to create a realistic one.
The expert dropped 297 USB drives on the University of Illinois Urbana-Champaign campus in six different locations, the devices are able to take over the PC of the unaware user that will find the key.
48 percent of USB drives were picked up by passers and plugged into a computer, and the unaware users also tried to open the file within.
Social engineering attacks demonstrate that humans are the weakest link in the security chain, and attacks leveraging malware-laden CD leverage bad habit.
(Security Affairs – Malware-Laden CD Sent, hacking)