Cybersecurity Tip: Be Careful with That Free USB Stick

By Claire Gu | February 14, 2022

Hiding malware on a free USB stick is a common way to launch a cyberattack

It seems good—a free USB stick, something picked up as a giveaway or received in the mail after winning a random selection. A little extra portable storage is always a good thing. So you pop it in, and the next thing you know, your computer is locked, your data is corrupted, and whatever was hidden on that USB stick is spreading.

People often don't think twice about taking freebies from events and their mailbox and plugging the infected USB devices into their computers. But they should.

USB sticks are a common way hackers install ransomware and other types of malware. And if you're on a network, that malware can spread to other computers and even shut down the entire network. Once a network gets infected, everyone can be locked out and risks losing everything—including grades, coursework, important research, and financial aid information.

A Recent Rise in Attacks

Recently, the FBI warned that cybercriminals are mailing out USB drives to spread ransomware and launch cyber attacks. The infected USB drives are sent via the US Postal Service and UPS, impersonating the Department of Health and Human Services in some cases, and Amazon in others. According to the FBI, some packages are designed to resemble Amazon gifts—containing a fake thank you letter, counterfeit gift card, and a USB—and in other cases the USB drive is accompanied by letters referencing COVID-19 guidelines.

There are three main types of USB hacking tools that would allow for exploitation of your computer, leaving both your data and NYU’s cybersecurity vulnerable.

Malicious Code

Hackers can use USB sticks to infect your computers with malware that can detect when you plug in the USB drive and then download malicious code.

Social Engineering

The file will take you to a phishing site, and trick you into entering your login credentials. Hackers could also inject keystrokes into your computer through BadUSB attack and let the malware auto-register as a keyboard. It will then send a series of preconfigured automated keystrokes.

HID (Human Interface Device) Spoofing

After the targets plug the USB drive into their PCs, it will automatically register as a Human Interface Device (HID) Keyboard which will allow it to operate even with removable storage devices toggled off. From there, it can use keystrokes to place malware on your computer and potentially deposit and fire up additional rogue files. Bleeping Computer notes that the end goal is to deploy ransomware on the compromised network.

How to Protect Your Data from Malicious USB Drives

Never use unknown USB sticks.

Cyber threat actors are abusing USB drives’ capability of storing and sharing files, but it’s not realistic to suggest disabling all USB uses, considering how many USB devices we use on a daily basis. However, you should avoid plugging an unknown USB drive into your computer. If you receive an unexpected USB drive, please report this to the NYU IT Service Desk.

Install anti-malware software(s) and keep it updated.

See this knowledge article for more information on antivirus and malware protection software eligible for NYU community members. Please note that anti-malware software does not provide foolproof protection against malware.

Disable Autorun for Windows.

The Autorun feature enables removable media devices such as USB drives and CDs to open automatically when they are inserted. By disabling Autorun, you can prevent malicious code on an infected USB drive from opening automatically.

USB attacks might sound like they would be limited to personal devices, but in fact the implications can be much greater. When it comes to defending your data and the data stored in the NYU network from a wide range of attacks and attackers, active prevention is the best strategy. 

If you have more questions about ransomware-infected USB drives, please contact the NYU IT Service Desk for assistance.