Unsolicited Packages, Hidden Threats

Gigabit Systems

August 27, 2025

•

20 min read

Share this post

Unsolicited Packages, Hidden Threats: Brushing Scams Evolve Into Weaponized Attacks

An increasingly disturbing form of cybercrime is gaining traction across the U.S., merging the old-world tactic of unsolicited “brushing” packages with modern digital deception.

Once considered a quirky annoyance, brushing scams involved merchants sending low-value items—rubber chickens, novelty toys, knock-off electronics—to strangers in order to falsely inflate online reviews. The packages often arrived with the recipient’s name, address, and even phone number, despite no order being placed. While strange, these incidents were generally considered harmless.

That’s no longer the case.

Recent reports from the FBI and the U.S. Postal Service now warn of a darker evolution of the tactic. A growing number of these packages include QR codes—innocuous on the surface but weaponized beneath.

How It Works:

Recipients receive an unexpected package with their correct contact information.
A QR code is included—printed on an insert, stickered to the item, or part of a fake warranty or survey offer.
Once scanned, the QR code leads to:
- Phishing sites designed to harvest personal credentials and banking data
- Malware payloads that infect mobile devices and exfiltrate data silently
- Surveys or contests that act as social engineering traps to gather sensitive information

Security experts say this marks a significant evolution in hybrid attacks—where physical social engineering intersects with digital exploitation. It also raises deeper concerns about how easily threat actors can access or purchase consumer information from data brokers, enabling them to create extremely believable delivery scams.

What You Should Do:

Never scan QR codes from unknown or unsolicited packages.
Report suspicious deliveries to the USPS Inspector General or your local law enforcement.
Monitor your credit and bank accounts if you believe your information may have been compromised.
Consider placing a freeze on your credit file with major bureaus if strange deliveries continue.

Law enforcement officials are still investigating the origin of these campaigns, with some believed to be linked to state-sponsored or international cybercrime rings.

This is no longer about free merchandise. It’s about infiltration, exploitation, and deception—delivered in an Amazon-sized box.

The real question is:

When that next package arrives… will you scan it?

Share this post

See some more of our most recent posts...

Cybersecurity

Technology

Must-Read

Unsolicited Packages, Hidden Threats

August 27, 2025

•

20 min read

Unsolicited Packages, Hidden Threats: Brushing Scams Evolve Into Weaponized Attacks

An increasingly disturbing form of cybercrime is gaining traction across the U.S., merging the old-world tactic of unsolicited “brushing” packages with modern digital deception.

That’s no longer the case.

How It Works:

Recipients receive an unexpected package with their correct contact information.
A QR code is included—printed on an insert, stickered to the item, or part of a fake warranty or survey offer.
Once scanned, the QR code leads to:
- Phishing sites designed to harvest personal credentials and banking data
- Malware payloads that infect mobile devices and exfiltrate data silently
- Surveys or contests that act as social engineering traps to gather sensitive information

What You Should Do:

Never scan QR codes from unknown or unsolicited packages.
Report suspicious deliveries to the USPS Inspector General or your local law enforcement.
Monitor your credit and bank accounts if you believe your information may have been compromised.
Consider placing a freeze on your credit file with major bureaus if strange deliveries continue.

Law enforcement officials are still investigating the origin of these campaigns, with some believed to be linked to state-sponsored or international cybercrime rings.

This is no longer about free merchandise. It’s about infiltration, exploitation, and deception—delivered in an Amazon-sized box.

The real question is:

When that next package arrives… will you scan it?

Mobile-Arena

Tips

Cybersecurity

Technology

YOU NEED TO UPDATE ALL OF YOUR DEVICES RIGHT NOW

August 23, 2025

•

20 min read

YOU NEED TO UPDATE ALL OF YOUR DEVICES RIGHT NOW

🍎 An Apple a Day… Doesn’t Fix Zero-Day Bugs

The latest iOS 18.6.2 update addresses a serious vulnerability in ImageIO, Apple’s image processing framework. This means a simple image—yes, just a picture—could be the entry point for a full-scale attack on your device.

Why this matters for SMBs, law firms, healthcare, and schools:

This isn’t some theoretical cybercrime. It’s real, it’s targeted, and it’s effective.

Attackers have used this exploit against:

Government officials
Journalists
Human rights advocates
And potentially… your organization next

If your business handles sensitive data—like patient records, legal files, or student information—this exploit could compromise it all through a single image.

What should you do now?

Update all Apple devices immediately (iPhones, iPads, Macs)
Enable automatic updates organization-wide
Review endpoint protection to detect image-based exploits
Consider MDM (Mobile Device Management) for visibility and control

Even if you’re using Android, don’t relax—turn on auto-updates and ensure you’re on the latest software version. This isn’t about Apple vs. Android. It’s about staying vigilant.

What this means going forward:

Cybersecurity isn’t just about blocking phishing links and malware anymore. Threat actors are getting more creative, exploiting features we take for granted—like how a phone processes images.

Staying safe requires layered defenses, regular updates, and a zero-trust mindset. In 2025, patching isn’t optional—it’s operational survival.

70% of all cyber attacks target small businesses, I can help protect yours.

Technology

Cybersecurity

Tips

Mobile-Arena

Would you use this phone charger if you saw it in a cafe?

August 22, 2025

•

20 min read

Would you use this phone charger if you saw it in a cafe?

That innocent-looking public charger could be a cybercriminal’s bait — and it’s called Juice Jacking.

Here’s how it works:

Hackers leave tampered USB chargers or modify public ports in cafés, hotels, airports, and train stations.

The moment you plug in:

You think you’re charging your phone 📱
But in reality, you’re handing over your data, contacts, and credentials

What can they do?

Copy your personal files and photos
Steal your login details and financial info
Install malware that follows you home

And the worst part?

You won’t even know it happened.

🔒 How to protect yourself:

✅ Use your own charger — plug into a mains outlet only

✅ Carry a portable power bank

✅ If you must use a public USB port, use a USB data blocker (ask me how to get one for free from Gigabit Systems).

Cyber threats aren’t always flashy.

Sometimes, they’re disguised as convenience.

Stay alert. Stay charged — safely.