Malware authors may have found a new way to skirt firewalls - send some pre-infected laptops in the post.
That's the fear of the FBI which is investigating the despatch of laptops to US state governors. Five HP laptops were sent to West Virginia Governor Joe Mahchin a few weeks ago. According to sources familiar with the investigation, other states have been targeted too, with HP laptops mysteriously ordered for officials in 10 states. Four of the orders were delivered, while the remaining six were intercepted.
The West Virginia laptops were delivered to the governor's office several weeks ago, prompting state officials to contact police, according to Kyle Schafer, the state's chief technology officer. "We were notified by the governor's office that they had received the laptops and they had not ordered them," he said. "We checked our records and we had not ordered them."
State officials in Vermont and Wyoming told him they've received similar unsolicited orders, Schafer said.
Schafer doesn't know what's on the laptops, but he handed them over to the authorities. "Our expectation is that this is not a gesture of good will," he said. "People don't just send you five laptops for no good reason."
The computers are now being held as evidence by state police, who are working with the FBI to figure out how the machines were sent to the governor's office, said Michael Baylous, a sergeant with the West Virginia State Police.
Although there is no evidence that the computers contain malicious code, HP confirmed that there had been several such orders and that they have been linked to fraud. "HP is aware that fraudulent state government orders recently have been placed for small amounts of HP equipment," spokeswoman Pamela Bonney said. "HP took prompt corrective action to address the fraudulent orders and is working with law enforcement personnel on a criminal investigation."
With users now more reluctant to install suspicious software or open attachments on their networks, scammers appear to be looking for new ways to get inside the firewall. On Tuesday, the National Credit Union Administration warned that an unnamed credit union had received two fake CDs designed to look like training materials. Installing the CDs "could result in a possible security breach to your computer system," the administration warned.
Scammers have also tried to put malware on USB devices and then left them outside company offices, hoping someone will plug them into a computer and inadvertently install malicious software on the network. Many Windows systems are configured to automatically run software included on CDs and USB devices using a Windows feature called AutoRun.
Many organised criminals would be happy to spend the cost of five PCs in order to access government computers, said Steve Santorelli, director of investigations with security consultancy Team Cymru. "What is a netbook? $700? You send five of them; you're dropping three grand, and say you get into the Congressional email system. How valuable would that be?"