In July, thousands of Americans started to complain about unsolicited packages of seeds mailed from China. And despite not knowing exactly what the seeds were, and holding suspicions that something nefarious was afoot, many recipients planted them.
The parallels between the mystery seeds and phishing attacks are unmistakable and can serve as a cautionary tale for CISOs trying to train employees not to fall for hackers' ploys, at a particularly vulnerable time when most are working from home.
"Up until COVID sent everyone home, we were seeing almost the exact same thing with thumb drives," said Joseph Neumann, director of offensive security for Coalfire, who reported receiving his own mailer of seeds to the Texas Department of Agriculture. "People would mail thumb drives stuffed with malware to people at their work, and they would plug them in."
To be clear, the seeds were likely what is known as a "brushing" scam – a Chinese vendor on Amazon setting up fake orders to American addresses scraped from the internet to give a storefront fake five-star reviews. The scams send lightweight items, in this case, seeds, because they are cheap to mail.
But people opted to plant them.
If that sounds familiar it's a take on the classic USB drop trick, where a hacker deposits USB drives in a parking lot, hoping they'll get picked up and used, then infect unwitting victims' computers. Roger Grimes of the training company KnowBe4 says, to this day, that trick still yields "healthy" results.
"When we talk about defenses, it's policies, technical controls and education," said Grimes. "If something physical gets in the hands of an end user, you bypass the policies and the technical controls."
Just as it may seem obvious not to plant the seeds, workers can get caught off guard by threats in contexts they aren't prepared for, said Grimes, who noted a person ready to shield themselves from a sketchy email might not be as ready for the same threat sent over a dating app or LinkedIn.
That problem is amplified by threats using the confluence of new devices users access regularly. People at a heightened state of alert in their office often do not show the same state of alert on their phone or home devices, said Hank Schless, senior manager for security solutions at mobile defender Lookout.
Security teams need to expand the scope of training beyond the devices and applications directly associate with corporate systems, which is typically not within their purview.
As Neuman puts it: "We train people to watch for phishing at work. No one trains you to watch for seeds."