In what amounts to one of the simplest but most baffling forms of social engineering, hackers from China have taken to sending CDs full of malware to state officials, leading the Multi-State Information Sharing and Analysis Center, a government security outfit, to release a warning detailing the scam.
The trick is simple: a package arrives with a Chinese postmark containing a rambling message and a small CD. The CD, in turn, contains a set of Word files that include script-based malware. These scripts run when the victims access them on their computers, presumably resulting in compromised systems.
“The MS-ISAC said preliminary analysis of the CDs indicate they contain Mandarin language Microsoft Word (.doc) files, some of which include malicious Visual Basic scripts,” wrote security researcher Brian Krebs who includes an image of the letter and disc on his site. “So far, State Archives, State Historical Societies, and a State Department of Cultural Affairs have all received letters addressed specifically to them, the MS-ISAC says. It’s not clear if anyone at these agencies was tricked into actually inserting the CD into a government computer.”
While it should be obvious that you shouldn’t stick unrequested storage media into your computer, clearly this scam seemed feasible enough for someone to spend a little cash to make and ship these little CD-ROMs. Now they just have to target victims who still use CD readers.