When you get a free gift in the mail from Best Buy, you may be forgiven for being suspicious. Sure, maybe you shopped there before, and maybe you even bought a laptop there a few years back, but did this really qualify you for a free $50 gift card? Soon, however, rationalization sets in because you really want that gift card. “Maybe it’s just a promotion. Maybe the company just wants you to visit their website or a store because, then, they can sell you more stuff. Sure, it’s just a marketing ploy.” According to the cybersecurity firm that came across this scam, Trustwave, here is the package the lucky victim will receive.
Here is a closer look at the message.
A linguistic analysis of the message would indicate that it was written by a nonnative English speaker. The phrase, “being our regular customer for a long period of time” seems odd. The same can be said about the phrase, “the list of items presented on a USB stick.” Isn’t it the USB stick?
The Best Buy letterhead looks real on the surface,
but here is the actual company letterhead.
The image at the top of the fake letter is the company logo but not the letterhead it uses on official correspondences.
I would also like to see the envelope this came in. Did it have a return address and a logo?
Trustwave was not really interested in the social engineering aspects of this attack. They wanted to point out how them malware behind the attack operated when the USB was plugged into a computer. The victim was told to plug it in to see what sort of items they could purchase with their free gift card.
But I also have questions about this enclosed gift card. I could not find this particular packaging on the Best Buy website. It may be out of date, but maybe not. And did someone check the card’s balance?
Trustwave does a good job of showing how the USB, which emulated a keyboard, automatically typed in a command as soon as it was plugged into a computer. The computer simply ‘thought’ an actual keyboard had been connected and that a command had been typed in.
The victim knows nothing about this and will get a pre-programmed, fake warning on their screen.
So the victim thinks they cannot find out how to use the gift card which makes the card useless. All the while, however, the malware is setting itself up and the victim’s computer is being registered at the attackers C&C. Once communication is established, more malware is downloaded onto the victim’s computer. Just about any kind of malware can be downloaded depending on the system information that is initially sent to the C&C.
In an update, Trustwave attributed the attack to the loosely aggregated, financially motivated hacking group, FIN7. FIN7 is a sophisticated team which uses numerous hacking tools through which they successfully target the retail sector. They may have ties to Russia. According to Dmitry Chorine, CTO of Gemini Advisory, “they make at least $50 million every month. Given that they’ve been in business for many years, they probably have at least a billion dollars on hand.”
This would go a long way towards explaining the use of a USB. Most hackers don’t like to spend money so purchasing USBs that may or may not succeed in a hack is not in their best interest. However, because this is such an unusual ploy, it may have a higher chance to succeed.
There is no evidence that FIN7 ever used this vector before. This may be a new campaign and it probably only targets individuals that have access to key networks. The hackers undoubtedly did their research. They knew who they wanted to target. But why the USB angle? This technique is often used by pentesters. As it turns out, FIN7 has been searching for pentesters and then trying to recruit them to join their team. No doubt the monetary rewards may have been attractive to some. The USB technique these pentesters were familiar with was likely transformed into this new attack vector.
Actually, the use of a USB to compromise a network is nothing new. There are even tutorials online that will teach you how to make a USB emulate a USB keyboard. It is, however, unusual for hacking teams to use this approach and include it with a gift card. So, if you get such a package, realize that you and, more importantly, your company are being specifically targeted. In other words, these criminals believe they can make a good profit from hacking it. They can do this by stealing personal information that can later be sold or used in even more sophisticated attacks. They could throw in a ransomware attack if all else fails.
Be suspicious of any unsolicited package, check, or gift. They can all serve as the starting point for a scam or hack. Never plug in any USB that you randomly find. It’s possible the USB was not as randomly placed as you think. Be suspicious of any USB given out at trade shows or conferences, they’ve also been know to carry malware. If you really think the gift package is legitimate, it doesn’t hurt to contact the sender. If the person who received the package shown in the image had tried to contact the person who signed the letter, they would find that no such person ever existed. That should signal that something might not be right. On the other hand, there will always be a few people who are willing to take the risk, and a few people is all the hackers really need.