A threat group is using gift cards, sweet-faced teddy bears, and the United States Postal Service to carry out a new physical phishing campaign.
The deceptive ruse has been identified as the work of FIN7, otherwise known as the Navigator Group and the Carbanak Group.
Victims receive a new furry friend in their mailbox together with a gift card, a malicious USB drive, and a fake letter purporting to be from the customer relations department of Best Buy. The scam lures victims into plugging the bad drive into their computer with the promise of a freebie.
The letter states: "Best Buy company thanks you for being our regular customer for a long period of time, so we would like to send you a gift card in the amount of $50. You can spend it on any product from the list of items presented on a USB stick."
If the recipient inserts the flash drive into their computer, it infects their device with a JavaScript backdoor called GRIFFON.
After discovering the scam, the Federal Bureau of Investigation issued a flash alert warning to businesses.
“Recently, the cybercriminal group FIN7, known for targeting such businesses through phishing emails, deployed an additional tactic of mailing USB devices via the United States Postal Service (USPS). The mailed packages sometimes include items like teddy bears or gift cards to employees of target companies working in the Human Resources (HR), Information Technology (IT), or Executive Management (EM) roles,” warned the FBI.
The USB device used by FIN7 is a commercially available tool known as a "BadUSB" or "Bad Beetle USB" device. Schemes that make use of such malicious USBs are known as "Bash Bunny" attacks.
Sticking with the animal theme, similar attacks, which rely on the victim's using a malicious USB stick that is in reality a malicious USB keyboard preloaded with keystrokes, are called "Rubber Ducky" attacks.
According to MITRE, FIN7 is a financially motivated threat group that has primarily targeted the US retail, restaurant, and hospitality sectors since mid-2015, often using point-of-sale malware. In 2017, the group became known for sending stores and corporate offices a string of food poisoning complaints with malicious attachments in a threat campaign dubbed FINdigestion.