Baiting attacks exploit human curiosity and greed by offering something enticing to lure victims into compromising their security. The bait can be physical (USB drives, devices) or digital (free downloads, fake updates) and is designed to trigger an action that grants the attacker initial access to systems or networks.
Physical baiting typically involves dropping USB drives loaded with malware in parking lots, lobbies, or common areas of target organizations. The drives may be labeled with enticing text like "Confidential" or "Salary Data" to encourage insertion into corporate machines. Upon connection, the device executes payloads through autorun, rubber ducky HID emulation, or BadUSB firmware attacks. Digital baiting uses fake software downloads, pirated content, or fraudulent updates that bundle malware with seemingly legitimate files. Watering hole attacks are a form of baiting where attackers compromise websites frequently visited by the target organization. Advanced baiting combines physical and digital elements, such as sending branded USB drives appearing to be from a trusted vendor.
Baiting attacks succeed because they exploit fundamental human psychology rather than technical vulnerabilities. Curiosity and the desire for free resources override security training in many individuals. These attacks bypass perimeter security entirely because the victim voluntarily introduces the malicious element. Organizations must address baiting through both technical controls (USB device policies, endpoint protection) and security culture development.
CDA addresses baiting within the TID and SPH domains. Theater missions include baiting simulation exercises that test organizational controls and awareness. Our approach combines technical countermeasures like USB device whitelisting with culture-building that makes reporting suspicious items a natural reflex rather than an afterthought.