Never Trust a Strange USB Device

Let’s say you find a USB drive in your office parking lot. You’re not sure who it belongs to, but since it’s near your place of work, you imagine it has to be someone close by. Maybe you’d figure out who owns the stick by plugging it into your computer, and checking out the files stored within. Here’s the thing: You really shouldn’t do that.

There are many different tactics bad actors take to potentially hack into someone’s machine and network. Phishing is a common tactic, as it’s easy to target large groups of people over the internet at once. But if bad actors have a specific network in mind, they might take another approach—one that involves connecting to said network locally.

Sure, one could break into the offices in question, but that assumes a great risk. If the hacker is caught, they will be responsible for a number of crimes committed in the act. It’s much safer if the physical hacking is done by someone who is meant to be within the building itself—better yet, if that person is blissfully unaware of what they’re doing.

That’s the idea behind USB drive drops. A hacker may install malware on the drive, then leave it behind somewhere busy, like a parking lot, or, if possible, somewhere in the building. While many people may walk past the drive, all it takes is for one curious person to pick it up and plug it into their machine. Depending on the malware, the drive may scrape your computer for login information, including passwords, and may potentially use that info to break into the network at large. This could result in ransomeware attack, all because a good Samaritan wanted to see if they could locate the owner of the drive.

In general, never attach any devices to your computer, whether it’s your personal device or one you use for work. If you find a strange device unattended near your place of work, bring it to your IT department, or another authority, and be clear that you do not know who the drive belongs to.