As facility and network security continue to harden, it seems that some cybercriminals are looking for low-tech ways to gain access to a company’s sensitive information. And while cyberattacks typically don’t involve facility managers, this head-scratcher reported by Brian Krebs might be one to keep on your radar.
Krebs reported that several state and local government agencies across the U.S. have started getting snail mail containing poorly-written letters and compact discs (CDs) that are loaded with malware. He notes that this old school tactic “preys on the curiosity of recipients who may be enticed into popping the CD into a computer.”
According to a non-public report by the Multi-State Information Sharing and Analysis Center (MS-ISAC) cited by Krebs, the confusing letter (which is written in English, but punctuated with Chinese characters) arrived in an envelope post-marked in China. The CD is filled with Mandarin language Microsoft Word (.doc) files containing visual basic scripts. Though not all the files appeared harmful, some percentage of the scripts were malicious.
The MS-ISAC notification states that so far, “State Archives, State Historical Societies, and a State Department of Cultural Affairs have all received letters specifically addressed to them.” What’s not clear is if anyone actually fell victim to their curiosity and inserted the CD into their government-owned computer.
This kind of attack is not likely to be very effective in the end, as nothing about it looks legitimate. Krebs notes that a number of steps could’ve been taken to make the attack more credible, such as using a small USB drive or having someone with a mastery of English write the letter. At the end of the day though, it is a good reminder to remain vigilant, as cyberthreats can and do come in all forms.
Krebs also provides some good online safety advice that is applicable here: “if you didn’t’ go looking for it, don’t install (or insert) it.”