Of 200 USB sticks distributed at public places in Chicago, Cleveland, San Francisco and Washington, D.C., earlier this year, 17 percent wound up plugged into computers – some of them by IT pros - where they could have done all sorts of damage had they been loaded with malware.
Not only were they plugged in, the finders followed instructions on them to email a specified address and include what they did for a living, according to a study by the IT industry association CompTIA.
Among those who obeyed this dangerous command were IT workers and a security worker for a multinational firm, the study says. Some of those who emailed asked – when it would have been too late – whether the memory stick contained a virus.
Memory sticks can deliver a world of attacks, take over the devices they’re connected to, corrupt them, steal data and more. They were the tool of choice to infect Iranian machines with the Stuxnet worm that sabotaged that country’s nuclear production plants.
CompTIA had the devices spread around airports, coffee shops and public squares to determine whether people would violate good computer hygiene by plugging them in. The 17 percent not only plugged them in but opened a file on the devices – another opportunity for infection – then clicked on a link in the file – yet another opportunity.
This type of test has been going on for years. The Department of Homeland Security ran one in 2011 and found that 60% of those who picked them up outside government facilities or government contactors’ facilities plugged them in. If the devices had official-looking logos, the percentage jumped to 90 percent.