Victoria Police have issued a warning about USB flash drives reportedly being left in letterboxes in the Melbourne suburb of Pakenham.
Police said that the unmarked USB drives are “believed to be extremely harmful” and should not be plugged into computers or other devices.
“Upon inserting the USB drives into their computers victims have experienced fraudulent media streaming service offers, as well as other serious issues,” a statement issued by police said ("virus-type issues" a police spokesperson said).
USB drives have been used as a means of distributing malicious software, perhaps most famously the Stuxnet worm. More recently, MacAfee Labs registered a Q1 surge in submissions of W32/Pinkslipbot malware, which can be delivered through removable drives, as well as via drive-by downloads and shared network drives.
Earlier this year a group of researchers from the University of Illinois, the University of Michigan and Google published a study confirming that many people would pick up and plug a USB drive of unknown provenance.
“In a controlled experiment at the University of Illinois, we find that the attack both effective with an estimated 45%–98% of dropped drives connected and expeditious with the first drive connected in under six minutes,” the paper concluded.
“This evidence is a reminder to the security community that less technical attacks remain a real-world threat and that we have yet to understand how to successfully defend against them,” the researchers wrote.
“We need to better understand the dynamics of social engineering attacks, develop better technical defenses against them, and learn how to effectively teach end users about these risks.”