Beware of Lost and Found USB Flash Drives, They're Brimming with Malware, Sophos Says

If you should happen to run across a USB flash drive on the subway, you may want to leave it there, assuming you weren't planning to take it to lost and found to begin with. There's a good chance it's infected with malware, and that doesn't just apply to USB keys you find on the ground, but ones you buy at auction, too.

Security firm Sophos said it studied 50 USB keys bought at a major transit authority's Lost Property auction, and of those 50, two-thirds were infected with malware. That's bad news for the buyer, and the previous owner doesn't get off scot-free either. The study also revealed that drives were filled with information about many of the former owners, including their family, friends, and colleagues.

"We found 62 infected files in total. The worst key contained six infected files, representing four separate items of malware," Sophos said in a blog post. "We didn't find any OS X malware. But nine of the keys appeared to belong to Macintosh owners (or at least had been used extensively on Macs); seven of these were infected.

"In other words, if you're a Windows user, don't assume that you can automatically trust everything that comes from your Apple-loving friends. And even if you're one of those Mac users who is opposed to the concept of anti-virus software, consider softening your stance as a service to the community as a whole."

Another fun tidbit: none of the 50 USB keys were encrypted, though none contained any "smoking guns," like insider trading tips, credit card dumps, criminal plots, etc. There were, however, files containing tax deductions, minutes of an activists' meeting, photo albums of family and friends, software and web source code, and other information you typically wouldn't want to go around sharing willy-nilly.