“Good News for hackers: People still plug found USB sticks into their Computers”, a great example of social engineering by CompTIA.
As it turns out, more than 1 in 6 people will pick up a “found” USB flash drive from a public place and plug it in to see what’s on it. This has been a popular tactic for a long time primarily because it continues to work. It’s not mentioned in the article, but some rigorous pen-testers will go so far as to trap a flash drive and carefully replace it in the original packaging.
You might ask why this matters. What’s the worst that could happen? The unfortunate truth is that a trapped USB drive is all that’s needed for an outside attacker to compromise the machine it’s plugged into.
While many people are hoping to find “interesting” photos or perhaps altruistically wish to return the lost device to its rightful owner, plugging in that strange flash drive allows attackers the chance to exploit known vulnerabilities in the software on your PC.
Unless you’re diligent about patching your operating system and all add-on software, there’s reasonably high probability that malicious code can install itself, phone home and enable remote access by an outside party.
Do yourself and favor and turn those “found” devices in to the I/T security team. They love putting them in an isolated and safe sandbox environment and hunting around for malicious code. If it checks out clean, you might get that “free” drive back. If it doesn’t, you might have saved your company or family a lot of trouble.
