Malware embedded on a USB drive was delivered to members of the American Dental Association (ADA).
The mailing contained a PDF file of dental procedure codes, but some of the drives also held code capable of redirecting recipients to a website known to host malicious code. If a user opened the file, the site downloaded code that could enable miscreants to gain control of a user's Windows computer.
Journalist Brian Krebs reported that the drives were sourced from China and that 37,000 had been distributed to the nonprofit group's 159,000 base, although it's also been reported only a small percentage of those were infected. Most ADA members received instructions for a downloadable version of the PDF.
The ADA has informed its members of the situation, advising them to toss the flash drive.
One member questioned sending USB sticks: "Why distribute physically when they can do so from a secure portal."
"Mailing physical media – no matter how official-looking it may appear – is no substitute for offering a secure download of any material," Tod Beardsley, security research manager at Rapid7, told SCMagazine.com in an email. "If you get a USB drive in the mail, it should not be trusted at all."
Other experts agree. In a statement emailed to SCMagazine.com, Bob Ertl, senior director of product management at Accellion, said, “Malware-riddled USB drives are nothing new, which is why the ADA's decision to use them is so disconcerting. Like sharing passwords, connecting untested thumb drives to information systems containing sensitive data like personal health information (PHI) violates the most fundamental rules of InfoSec."
The healthcare industry is fraught with data breaches and the reason why is crystal clear: stolen PHI is worth as much as 50 times the value of a stolen credit card on the black market, Ertl added. "As such, there is very little excuse for using USB drives as a means of storing and sharing information. With industry compliant cloud technologies readily available and affordable, organizations should abandon the USB drive once and for all.”
Updated April 29 to include comments from Bob Ertl and Tod Beardsly.