Ever since we were kids, we were told not to accept candy from strangers, but so many people do just that every day of their lives and don’t realize it. Let me set the scene for you.
You park your car at work and start walking to your office building. You look down and see a shiny new 32GB thumb drive lying on the path. You think someone must have dropped it, so you pick it up, put it into your pocket, and go up to your office.
Since you’re a good human being, you want to return it to whoever lost it, in case there are important work documents or someone’s novel-in-progress on there. So, you do what most people would do and plug it into your computer in the hopes of finding something on the drive that identifies the owner.
This, my friend, is what’s known in the world of infosecurity as a ‘candy drop’ - an intentionally placed USB device dropped in plain sight, which tempts a target to pick it up and plug it in.
A thumb drive could contain all kinds of nasties. For instance, it could contain a malicious binary, a weaponized document, or an exploit set to run in your environment as soon as the USB drive is plugged in. This method circumvents most typical perimeter securities because the user is not introducing it through the network, where it could be potentially caught and screened by traditional endpoint security controls, but directly plugging it into the holy grail of devices…the endpoint.
Keep in mind that breaching the endpoint is the primary goal of most attackers. This is a sacred place where user credentials are stored, your corporate emails are accessible, and your critical documents are located, most likely in unencrypted form.
After stealing a user’s credentials from their endpoint, an attacker can freely traverse your company’s entire network, avoiding detection because they’re using legitimate usernames and passwords. Most companies have internal email directories containing a list of all employees along with their contact information, which may also include personal info such as their cell number, location, or alternate email address.
If the password has a unique structure (company name + number sequence, etc.) it could let the attacker potentially access every email account in the company. When it comes to critical documents, an attacker can encrypt them and hold them hostage in exchange for a payment, or sell them on the dark market to the highest bidder.
Obviously, selling your internal documents to your competitors would be the quickest and easiest way for attackers to make some fast cash. Let’s look at one specific scenario that played out recently.
In early 2016, the Wharton School did an interview with the CEO of a large marketing company (who shall remain nameless). The interview was filled with insights on how to build a company from the ground up and explored some of the issues that the company faced early on.
At one point in the interview, the CEO spoke about cost per customer (CPC – in other words, how much money it takes to earn one customer). He mentioned that in the beginning, they were paying $15 on average to earn one customer. The CEO was very proud that today his company got that cost down to 50¢ per customer. The interviewer then asked the question, “How many customers do you have now?” The CEO replied, “50 million.”
Starting to see the big picture now? The company’s customer list on the dark market would be worth around $25 million. An attacker probably wouldn’t get that amount, but they could certainly find a buyer who would be willing to pay a large sum in exchange for that data. If a competitor got their hands on a highly targeted list of potential customers they could poach for free in this scenario without having to pay 50¢ per customer, that’s a net win for them.
Another potential client would be other attackers. By having a detailed list of a company’s customers, they could easily target those customers via personal emails designed to look like they came from your company. From there, they could launch any type of attack they wished, from ransomware to data stealing campaigns.
Since these attacks would be extremely targeted, there is no telling how much money a cybercriminal could make from such a list. But let’s take a guess.
Assuming the ransom nets the crook the industry average of $640 an attack and they have a 10% success rate with a payout on 50 million targets, that would be a cool $3.2 billion. This is a very bullish estimate, so let’s go to a lower percentage payout on our hypothetical targeted attack. Still noting an average of $640, and this time a mere 1% success rate with a payout on 50 million targets, that would be $320 million.
Given the value of this data, attackers would certainly be willing to take any avenue necessary or available to them.
Port control is not impenetrable. Even with these services turned on, many thumb drives can be programmed to make the system think they are a USB keyboard or a mouse, to bypass this kind of block. Even if you do serial recognition for these sorts of devices, most manufacturers use generic serial numbers, so this can also be programmed into the device to bypass traditional security.
The first thing you should always do is work on a security training program to help your company’s employees understand the danger of these ‘candy drop’ attacks. Try dropping a few thumb drives around the parking lot and inside the building to see who is plugging them in. Put a Word doc on the thumb drive with an educational fact sheet on the dangers of plugging unknown devices into company endpoints to alert employees of the danger.
The next thing you should do is overhaul your endpoint protection software to ensure that if an employee still doesn’t understand or chooses to ignore these kinds of dangers, your security software will protect you.
If your current legacy endpoint protection product leaves something to be desired, we’d like to extend an invitation for you to come give Cylance a test drive. We can help you do a side-by-side comparison, so you can make the decision that is best for you and your company.