Sometimes when you’re working in a high-tech space, a low-tech solution might be just what you need to solve a problem. Apparently, the same goes for cybercriminals. For example, some of the most effective social engineering attacks start with a phone call. This one reported by Brian Krebs is a bit of a head-scratcher, though.
Krebs reported that several state and local government agencies across the U.S. have started getting snail mail containing poorly-written letters and compact discs (CDs) that are loaded with malware. He notes that this old school tactic “preys on the curiosity of recipients who may be enticed into popping the CD into a computer.”
According to a non-public report by the Multi-State Information Sharing and Analysis Center (MS-ISAC) cited by Krebs, the confusing letter (which is written in English, but punctuated with Chinese characters) arrived in an envelope post-marked in China. The CD is filled with Mandarin language Microsoft Word (.doc) files containing visual basic scripts. Though not all the files appeared harmful, some percentage of the scripts were malicious.
The MS-ISAC notification states that so far, “State Archives, State Historical Societies, and a State Department of Cultural Affairs have all received letters specifically addressed to them.” What’s not clear is if anyone actually fell victim to their curiosity and inserted the CD into their government-owned computer.
This kind of attack is not likely to be very effective in the end, as nothing about it looks legitimate. Krebs notes that a number of steps could’ve been taken to make the attack more credible, such as using a small USB drive or having someone with a mastery of English write the letter. At the end of the day though, it is a good reminder to remain vigilant, as cyberthreats can and do come in all forms.
Krebs also provides some good online safety advice that is applicable here: “if you didn’t’ go looking for it, don’t install (or insert) it.”