Yottabytes: Storage and Disaster Recovery

Jul 13 2017   9:06PM GMT

Beware! USB Web Key In the Mail

Sharon Fisher Sharon Fisher Profile: Sharon Fisher


You’ve heard about phishing. Now we’ve got one with actual bait: a mailed USB card called a web key.

As one techie describes it, “Here is the prototype for the next big wave of security breaches.”

According to TJ Gamble, founder and CEO of ecommerce company jamerson.com, Blue Cross/Blue Shield is sending out letters that include something like a business card or a credit card with a built-in USB drive. The letter urges recipients to insert the device into their computers to find out all the wonderful things that Blue Cross could do for them.

Gamble Tweeted a picture of one of the letters, showing the USB drive, known as a “web key.” He also put together a YouTube video going into more detail.

In a LinkedIn post elaborating on the Tweet, and in his video, Gamble hastened to clarify that he wasn’t accusing Blue Cross of anything nefarious. “I am not accusing BCBS of creating software that is less than aboveboard,” he writes. “However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.”

In other words, it would be like phishing – except instead of getting email from what appears to be Google or Facebook, you’re getting actual physical mail from what appears to be a trusted source like Blue Cross. Instead, it could have a potentially nasty payload that could install malware, steal your data, reprogram your device, destroy your laptop, or set it on fire. Moreover, the mailing apparently targeted human resources professionals, who might not know about the security risks involved, Gamble notes.

On the other hand, if someone gets caught sending them out, it’s presumably mail fraud, a Federal crime. And due to this risk, as well as the cost of producing the devices in the first place – 50 cents to a dollar each, he estimates — Gamble writes that he wouldn’t expect to see the general public start receiving these. “However, it definitely provides some ideas for going after high-value targets,” he warns – a variation known as “spear phishing.”

Blue Cross defenders commenting on Gamble’s piece point out that the company is hardly the first to use such Web key devices, linking to a Pinterest board of examples. (For what it’s worth, I’ve never seen the things before.) On the other hand, commenters also noted that malware or other payloads could be inserted anywhere along the supply chain for the devices, including where they were built, and in any event it was dangerous to train users to start inserting these devices.

In any event, the advice remains the same: Don’t poke strange USB sticks into your devices.

3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • StephaneTkoelbli
    I am not denying the potential threat but think it is likely to be used by an angry competitor to shutdown a business than from the standard hacker that is unlikely willing to spend such an amount of money to deliver his malware!
    40 pointsBadges:
  • DuskoS
    Me thinks... 1. It costs money, so it won't be cheap. 2. It's easier to find who dunnit. 3. It's no longer the beginning of the century when autorun would install executables by default. 4. In fact I already received similar devices with promo content, but it was from booths in conferences.I did not have problem sticking it in my laptop because I knew where and who it came from and what it contains (promo data sheets). All-in-all, I don't see a problem if it comes from a known and expected source. Unknown source and unexpected is another story. Besides, with todays web presence and cloud availability, I don't see neither future, nor practical need for such method of content distribution.
    20 pointsBadges:
  • Kevin Beaver
    A clever attack vector, indeed! Thanks for this, Sharon.
    27,550 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: