Dutch newspaper The Limburger reports that an attempt to steal data from Dutch chemical company DSM by leaving infected USB sticks in the company's parking lots has been thwarted. Instead of plugging the USB stick into a company computer, an employee who found the drive took it to the IT department, where it was identified as a keylogger designed to send usernames and passwords to an external site. DSM did not report the attempt to the police, but handled the situation internally by blocking the IP addresses of the identified sites and removing other infected USB sticks from the parking lots.
Using USB sticks to steal data or plant viruses is far from a new tactic, and some of the most notorious malware (like Stuxnet) were initially planted via USB. Dutch security firm Com-Connect works with DSM and other companies to prevent such attacks by warning employees of the dangers of unverified USB drives, and leaving USB drives in various locations as a test. Com-Connect's Sevenum director Paul Kite said that origins of the attack are "difficult to trace," so the company may not know whether the attempt was corporate espionage or something more sinister. The lesson here is fairly common sense: don't connect suspicious devices or download suspicious files to your personal or work devices.