When Information Security and Marketing initiatives collide

USB keys are a convenient and common way for people to store, share and transport digital files.  While we have seen a dramatic rise in their use, and we’re also aware of the potential dangers of using them, and how they can be used to spread computer viruses. The 2015 movie ‘Blackhat’ seemed to be partially inspired by the Stuxnet incident of 2010. Stuxnet was a computer virus that supposedly infected the Iranian nuclear program through the use of an infected USB key and reportedly damaged 1/5 of Iran’s nuclear centrifuges.

Although Stuxnet was an extreme example of how an infected USB can damage computer systems, infected USB’s have also been known to allow hackers to infiltrate and take full control of systems. These risks are well known and many solutions have been suggested in order to safeguard potential victims of crime.  Solutions such as employee and individual education, the use of anti-malware programs, locking down USB use at an enterprise level, and changes that have been made to operating systems that do not auto-load programs or files contained on USB’s. 

In 2011 Microsoft disabled the AutoRun feature (which would allow programs on USB keys to automatically load) within XP and Vista in order to limit the spread of viruses by USB usage. This solution was short lived; as new attack methods were quickly developed.  In 2014, two researches gave a presentation at the Black Hat conference about a technique used to modify a USB chip in order to take full control of a computer and to exfiltrate data.  Since this new type of threat does not employ a traditional virus model, it is immune to virus scans and invisible to the end user (as it does not reside in the storage area of the USB).

You may be wondering how all of this is relevant to marketing, your customers and your companies brand name. I’ve been at two business events recently where I have been given business cards and brochures that have “paper” USB drives built into them. This is a fairly new marketing strategy that allows a business to customize a marketing message to its potential customers.  By inserting the paper USB key into their computer, these potential customers are taken to the company’s webpage or are shown customized content (such as a video). 

While this new trend seems on the surface as a great vehicle for marketing and spreading corporate messages, it can also be a great vehicle for the spread of malware and other malicious programs, thereby putting potential customers in danger.  Malware contained in USB’s can often bypass network-intrusion and other enterprise level detection systems as it has direct access to the end-user’s system. Depending on the level of maturity of a company’s end point security, they may not be able to identify and contain malicious payloads before damage is done.

Recently the American Dental Association mailed out thousands of USB keys that were manufactured in China and embedded with a malicious code which redirected users to a website containing malware. The payload of this malware allowed someone to take full control of any infected computer. The USB’s also contained a PDF file that contained malware. 

A company which distributes these types of brochures or business cards should be aware of that their brand, reputation, customer loyalty and compliance status are just some of the areas that could be significantly impacted if they are found to put a recipient’s information at risk. Here are just a few questions you should consider before handing out a marketing USB at your next event:

·      Do you know who manufactures your USB cards and USB brochures?

·      Does that manufacturer have strict compliance regulations in order to ensure the devices were built to certain standards?

·      Have you tested any marketing USB devices to ensure you are protecting your customer data and your company brand name?

Sharing your company’s message is vital to being successful and growing your company, and marketing with these types of USB materials is a unique and progressive method of doing so.  While giving out USB keys allows customization of a marketing message and more content to be shared, it also put your customer’s information and your company brand in jeopardy if not done properly.