The Psychology of a Cyber Attack: USB Drop Simulation

What is a USB Drop Simulation?

A simulated USB drop attack is where you place a USB stick with tracking software installed in a commonly travelled area in the workplace, and see if employees follow company policy by handing it in, or if they plug it into their computer.

Plugging an unknown USB into your computer is dangerous for both the company and the individual – and here’s why: attacks against organisations occur regularly where the attacker installs malicious software onto a USB stick, then leaves it where someone is likely to pick it up. This may lead to a data breach, loss of data, and malware infection. It’s critical that employees are trained to spot these kinds of attacks and do the right thing by handing it in.

This is one of the many cyber-services we provide. In this post, we will discuss the kind of person likely to forego company policy and plug a USB in.

Why might someone take a USB?

Because they are curious what’s on it. Humans are naturally curious creatures, so it’s only natural that one might wonder what a USB stick contains. But what would be the drive behind this curiosity? They might be interested to see what personal stuff the owner has on there – such as photos. They also might be curious to see if any sensitive data is on there – humans have a natural drive to discover the unknown.

Because they have a personal interest in who it belongs to. Someone might be interested to find information they can use against the person – if it is someone they dislike, or to see if they have anything to hide. Perhaps, they might believe it contains information about another company – a rival for example.

Because they feel like they could get use out of it. USB sticks are relatively inexpensive these days – however the prospect of getting something for free might motivate someone to take it for their-self.

Personality Traits

By knowing the traits of a person who is likely to pick up and plug in the USB – we can tailor the content on the USB more-so to their personality, and increase the likelihood of them opening what we want them to.

Unconcerned with consequences – this type of person is likely to be more of an extrovert.

Feeling of entitlement to take what they want – they might have a ‘finders keepers’ attitude – this type of person is also more of an extrovert.

The USB might have something they want on it – if this is the reason they picked it up, then this person is more likely to be introverted.

What might make a USB stick attractive for someone to pick up?

For someone who wants to use it – it should look new, clean, and unlabelled.

For someone curious about the person who owns it – we can label it ‘personal’ or ‘photos’ or something along those lines.

For someone who has a personal business interest – we could label it ‘finance’, ‘clients’, or ‘confidential’.

For someone generally curious – we can label it something ambiguous or simply leave it blank. Then, the individual might project their own idea of what could be on there, and be driven by curiosity to find out.

By knowing these things, we can effectively pick a type of person to appeal to, and place content on the USB stick to reflect this. Someone is more likely to click on things which appeal to their desires and personality type.

What types of files are people likely to open?

Photographs.
A journal, diary or log.
Financial information.
Client information.
Passwords.
Personal data.

Theory of Curiosity

Curiosity is a form of cognitively induced deprivation that arises from the perception of a gap in knowledge or understanding.

2 forms of curiosity exist:

CDT – Curiosity Reduction: A drive state that motivates information seeking related to reducing uncertainty.
OAT – Boredom Relief: An optimal arousal state that seeks to satisfy need for knowledge.

Both could motivate behaviour to find out information. Interest (T Type) suggests information is not missing, but there is an opportunity to find something out.

Ignorance (D type) suggests something is missing, and the motivation is to find out something.

By knowing if a person is curious to satisfy boredom, to curious to satisfy a purpose, we can further tailor the appearance and content on the USB to a certain personality type

Conclusion

To sum it all up, there is a wide variety of factors which come in to deciding on a personality type for a targeted attack, and by picking one of these personality types to appeal to – we can increase the likelihood of someone being tempted to pick up and plug in the USB.

Sources

Psychology of Curiosity – Loewenstein

Curiosity as a feeling of interest and feeling of deprivation – Litman

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.