Physical Securityhigh

FIN7 BadUSB Mail Drop: Ransomware Delivered via Fake Amazon Gift Cards to Hotels

FIN7 mailed USB drives to hotels, restaurants, and transportation companies via USPS, disguised as Best Buy gift cards, COVID-19 guidelines from the US Department of Health, and Amazon packages. The drives installed GRIFFON malware.

Hotels / Restaurants / FIN7·2020·2 min read

Background

FIN7 (the same group behind the Carbanak banking malware) evolved its delivery techniques to evade email filtering. The postal system provided an entirely different delivery channel — physical mail that bypasses all email security gateways and arrives with the implicit trust of a physical package.

The Attack

FIN7 sent physical packages containing USB drives via USPS. The packages were disguised as Best Buy gift card envelopes (with a fake Best Buy gift card and instructions to plug in the USB for the gift), official-looking US Department of Health letters containing "COVID guidelines" USB drives, and Amazon packaging containing the USB. The drives were BadUSB — when plugged in, they emulated a keyboard and automatically typed commands to download and execute the GRIFFON backdoor. Victims received the packages at their office addresses harvested from business registrations and company websites.

Response

The FBI issued warnings about the physical USB mail campaign in 2020 and again in 2022. Multiple hotel, restaurant, and transportation companies reported receiving the packages. Several organisations reported successful infections before awareness was raised. FIN7 members were indicted in the US.

Outcome

The combination of physical mail (trusted delivery channel), official-looking packaging (government and Amazon), and BadUSB (no malicious files to detect) was highly effective. The campaign demonstrated that attackers diversify delivery channels as email filtering improves.

Key Takeaways

  1. Never plug USB drives received by mail into company computers — no legitimate gift requires a USB connection
  2. BadUSB attacks bypass all file-based antivirus scanning — USB port blocking is the only reliable mitigation
  3. The postal channel bypasses all email security gateways — physical mail policies must address unexpected USB deliveries
  4. Train mail room staff to flag unexpected packages containing USB drives or electronic media for security review

How to Prevent This

All guides
beginner

Disable USB mass storage on all corporate workstations via Group Policy or MDM

The FIN7 criminal group mailed BadUSB drives disguised as Amazon packages and Best Buy gift cards to hotel and restaurant employees. 45% of people plug in USB drives they find — even when they know they should not. BadUSB devices emulate keyboards and automatically type commands; they bypass all file-based antivirus scanning because they deliver no files. Disable USB mass storage on all corporate workstations via Group Policy (Windows) or MDM profiles (macOS/Linux). If USB access is required for legitimate use cases, use endpoint security tools that allow USB device whitelisting by hardware ID rather than disabling USB entirely.

See: FIN7 BadUSB Mail DropPhysical Security
BadUSBmail deliveryFIN7physical USBGRIFFON malware

More in Physical Security

1995high

Kevin Mitnick Tailgating: How America's Most Wanted Hacker Walked Into Secure Buildings

2 min readPhysical Security
2016medium

USB Drop Attack: 60% of People Plug In Dropped USB Drives

2 min readPhysical Security
2009medium

Dumpster Dive: Hospital Records, Credit Card Statements, and Patient Files in the Trash

2 min readPhysical Security