The cybercriminal group “FIN7” recently distributed malware via USB flash drives mailed to United States-based targets. Also included in the packages were fake letters, gift cards, and gifts to entice targets to plug
the USB drives into their devices. This probably represents a highly effective attempt at social engineering, given the packages’ “personal” touch to increased perceived legitimacy, as well as the general user ignorance when it comes to cyber threats delivered by physical means. Malware distribution via physical devices is rare, because it requires additional operational and logistical resources. For this reason the attack vector will likely only be used rarely, and typically only by highly sophisticated threat actors.