People Are Still Falling For This Oldschool Malware Trick

plugging in usb flash drive

It’s a beautiful day as you walk into work. The sky is blue, the birds are chirping, and you’ve got your favorite coffee blend in tow. As you walk through the parking lot of your building, you see something glimmering out of the corner of your eye. Sitting there in the parking lot, you see a USB flash drive. You look up to see if there’s anyone around who may have dropped this USB thumb drive recently. Picking it up, one side says it’s a 512GB flash drive — fairly impressive. On the other side, written in sharpie, it says “2018 Taxes.” You drop it into your pocket and head inside. As you walk to your desk, you ask people in the office if anyone misplaced a USB thumb drive in the parking lot. Everyone just shrugs and says that they haven’t. Feeling the need to be a good Samaritan, you pop the USB flash drive into your computer to search for any information that may identify the drive’s owner.

If your palms weren’t somewhat sweating upon hearing about someone finding a USB flash drive in a parking lot, I’m sorry to say that you are the problem.

The USB Flash Drive Malware Trick

If you didn’t see a problem with simply popping a mysterious USB thumb drive into your work computer (or any computer, really), you may be putting your own cybersecurity and that of any organizations with which you are affiliated at risk. This is a classic trick in which hackers load a variety of USB with malicious software (AKA: malware) and strategically leave them where they may be found and plugged into lucrative systems. When these thumb drives are plugged into unsuspecting computers, they will attempt to install malware much like a parasite latching to its host. The possible damage the malware can inflict may vary, though many malware programs are spyware that is meant to collect information found within a computer or it’s associated systems. That can mean these systems could be sharing information from your computer, your company’s intranet, or anything else your computer has access to.

You’re Not Alone — Many Fall For This Scheme

If you’re feeling stupid right about now because you didn’t know any better, don’t feel too bad — you’re definitely not alone. Though most of the studies about this are three or so years old, the results are startling. Google conducted a study on the campuses of the University of Illinois Urbana-Champaign as well as the University of Michigan in 2016. The researchers left hundreds of USB thumb drives in different parts of the campuses. None of the drives contained malware but did contain software that was capable of notifying the researchers when they had been connected to a computer. The results? A jaw-dropping 48% of the drives were plugged into a computer. Some drives discovered were plugged in a mere 6 minutes from the time they were dropped. According to a similar study conducted by the U.S. Department Homeland Security, 60% of their dropped drives were plugged into computers — some being official government computers. The rates increased to 90% if the thumb drives were stamped with government logos.

“What I should I do if I discover a USB thumb drive?”

Some of you are probably still wondering what you should do if you find a USB thumb drive somewhere. While there are a few tech-savvy suggestions if you absolutely cannot resist the urge to plug in this mystery flash drive, you’re best left treating the drive as though it wasn’t an object that can be plugged into anything. Go about finding the owner in the same way you would return a found tube of lipstick. Ultimately, trying to identify the owner of USB drive by searching the drive’s contents is the technical equivalent of trying to determine the owner of an abandoned half-eaten pizza by tasting a slice.


In order to spot infrastructure vulnerabilities before they can be exploited, consult the Managed Network Services professionals at JD Young.