What Is a Road Apple Social Engineering Attack?

Usb flash drive being inserted into usb port

Jeffrey Hamilton / Getty Images

Social engineering is defined as “a non-technical method of intrusion that hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.”

When most of us think of social engineering attacks, we likely picture people posing as inspectors, trying to gain access to restricted areas. We might also imagine a hacker calling someone and pretending to be from tech support and trying to trick some gullible user into providing their password or other personal information that might be useful to a hacker.

These classic attacks have been seen on TV and in movies for decades. Social engineers, however, are constantly evolving their methods and attack vectors and developing new ones. Typically, they rely on a very powerful motivator: human curiosity.

How the Road Apple Attack Works

One such attack, in particular, goes by several names but is mostly referred to as the ‘Road Apple’ attack. The origin of the name is unclear but the attack is a fairly simple one. It’s basically a classic Trojan horse type attack with a twist.

In a Road Apple attack, a hacker typically takes multiple USB flash drives, writable CDs DVDs, etc, and infects them with malware, typically Trojan-horse type rootkits. They then scatter the infected drives/disks throughout the parking lot of the location that they are targeting.

Their hope is that some curious employee of the company being targeted will happen upon the drive or disk (or Road Apple) and that their curiosity to find out what is on the drive will override their security sense and they will bring the drive into the facility, insert it into their computer, and execute the malware either by clicking on it or having it auto execute via the operating system’s ‘autoplay’ functionality.

Since the employee is likely logged into their computer when they open the malware infected disk or drive, the malware is able to circumvent the authentication process and will likely have the same permissions as the logged in user. The user is unlikely to report the incident for fear that they will get into trouble and/or lose their job. 

Some hackers will make things more tantalizing by writing something on the disk with a marker, such as “Employee Salary and Raise Information 2015” or something else that an employee of the company might find irresistible enough to put into their computer without giving it a second thought. 

Once the malware is executed, it will likely 'phone home' to the hacker and allow them remote access to the victim’s computer (depending on the type of malware installed on the disk or drive).

How Can Road Apple Attacks Be Prevented?

Educate Users: The policy should be to never install media that has been found on the premises, Sometimes hackers will even leave disks inside in common areas. No one should ever trust any media or disks that they find lying around anywhere

They should be given instructions to always turn in any drives found to the security person for the organization.

Educate Administrators: The security administrator should also never install or load these disks on a networked computer. Any inspection of unknown disks or media should only occur on a computer that is isolated, is not networked, and has the latest antimalware definition files loaded on it. Autoplay should be turned off and the media should be given a full malware scan prior to opening any files on the drive. Ideally, It would also be a good idea to have a second opinion malware scanner scan the disk/drive as well. 

If an incident occurs the affected computer should be immediately isolated, backed up (if possible), disinfected, and wiped and reloaded from trusted media if at all possible.