This holiday season: Don’t be fooled by a decorative gift box, especially if it contains an Amazon voucher, a thank-you note, and a USB drive.

In early 2022, the FBI warned that a basket from “FIN7” cybercriminals containing “BadUSB” ransomware hidden in the storage key was being delivered to US businesses. And that terrible present—as the name suggests, a bad USB—seems to be on the rise.

While threat actors still send malicious storage drives, hoping that curious employees can’t resist seeing what’s on there, hybrid work has led to infected devices moving from home to office.

“Maybe they share USB keys between their personal laptop, their family PC, their work machine, and printer…So, the infection is actually happening outside of the organization, but directly affecting the organization’s endpoint when they use that USB again. In pretty much all the cases that we found, that was the initial infection vector,” said George Glass, head of threat intelligence at the global risk advisory Kroll.

In one example, according to Glass, an end-user downloaded a cracked, illegitimate version of Photoshop, which led to malicious files on the USB drive, and ultimately the corporate network, when the employee brought the device into the office.

Malware moves quickly on a USB port, bypassing email firewalls and filters. “As soon as it’s plugged in, there’s very little user interaction that has to happen…And in some cases, an autorun triggers,” Glass told IT Brew.

Kroll’s Q3 research, which had not tracked USB malware in previous quarters, found enough of an uptick in cases to warrant tracking, said Glass in a follow-up email.

Read more here.—BH

If you only look at the headlines, you’d think the tech job market is in crisis. Alphabet, Amazon, Meta, and other giants are cutting jobs and freezing hiring as they report lower earnings.

“There’s no question we’re operating in an uncertain environment,” Philipp Schindler, Google SVP and chief business officer, told investors in October.

Indeed, earnings calls from the tech giants have been dire. Alphabet, Google’s parent company, reported a drop in growth from 41% last year to 6% this year. Meta saw share prices go into what looked briefly like a total free fall after audience numbers remained static and CEO Mark Zuckerberg reaffirmed his commitment to bug-infested VR platform Horizon Worlds. Amazon stocks fell 13% on weak earnings reports.

But the struggles of the tech behemoths belies the strength of the actual IT job market, ZipRecruiter chief economist Julia Pollak told IT Brew.

“In the headlines, we see tech companies saying that they’re instituting hiring freezes and pulling back,” Pollak said. “But it’s not showing up in the aggregate data on those industries at all.”

By the numbers. Put simply, even with the big-name companies floundering, there are still more positions than skilled workers, even if those positions aren’t necessarily in the prestigious tech companies where IT professionals might want to build their résumés.

According to ZipRecruiter data that Pollak shared with IT Brew, almost every IT position across the board is up since February 2020—the beginning of the pandemic and the sea change in how Americans work and live. The “digitization of everything,” as Pollak described the ongoing changes in day-to-day life, have led to a massive increase in tech jobs.

Read more here.—EH

Most IT pros know how to avoid phishy-looking emails. Even a text will likely raise suspicion, if it’s the CEO asking for a bunch of Amazon gift cards.

But would you fall for a phony voice message? Enter: the phoicemail.

During a fall where everyone from LeBron James to Nintendo’s Mario had fakes on Twitter and some might’ve even believed President Biden sang “Baby Shark” live, Tim Callan, chief experience officer at the cybersecurity provider Sectigo, sees audio as an emerging tool for scammers.

His example scenario is an audio message from your CFO:

Hi, this is Margaret, we’re in a bit of an emergency. I need you to do the following: Send this [top secret] information to this email address.

“Most people have not been educated yet to be suspicious of these things,” Callan told IT Brew.

And the deepfakes are real trouble. According to a report from VMware, more than one corporate security pro has fallen for the false audio trick.

Like with phishing of any variety, understanding context and being suspicious will be an important defense, said Callan. For example, asking yourself, “Why on Earth is the CFO calling me?”

Think you can spot a faker? Take this test from MIT—after responding to our quick snap poll:

IT Brew Q: Are audio deepfakes a real concern for IT pros?

Yes
No
Not yet but I suspect they will be

Today’s top IT reads.

Stat: 87%. That’s the percentage of US defense contractors failing to hit the most basic level of cybersecurity compliance standards, according to CyberSheath. (Infosecurity Magazine)

Quote: “You can very quickly see that it’s impossible to review the 6 trillion data points as fast as we needed to if we were to do that manually…So, we have to use automation.”—Jason O’Dell, VP of security operations for Walmart Global Tech, on the company’s sprawling cybersecurity apparatus (Cybersecurity Dive)

Read: The seemingly unending flood of disturbing revelations about the collapse of FTX keeps on rising. (New York Magazine)

For the techies: Join over 450k readers of Emerging Tech Brew, the 3x-a-week email delivering the latest tech news impacting our future. It’s free and takes only 5 minutes to read, so there’s really no reason not to try it.

^{*This is sponsored advertising content.}