Recently I received promo letter from RS New Zealand which contained a mysterious USB dongle device thingy:
hmm… should I plug this thing in…
Word of warning: never plug anything into USB port if you didn’t ask for it. For “science” I plugged it into a sacrificial Linux box.
Turns out the dongle is a keyboard device that mashes magic Windows specific key sequences (more on that later).
This whole marketing campaign is extremely stupid move from RS NZ. Now a 3rd malicious party can copy their marketing material and send it out with a dongle that has malicious payload (could be the same keyboard sequence that goes to a site and downloads root kit, while “Allowing” all the UAC dialogues).
It is a shame that RS NZ trains already security deficient Windows users with more horrible security practices.
The device presents itself with following ID:
Bus 001 Device 018: ID 05ac:020b Apple, Inc. Pro Keyboard [Mitsumi, A1048/US layout]
Here is the magic key sequence:
Caps_Lock Caps_Lock Super_L + r Home Shift_L + End BackSpace # above is running Win+R # clearing the line # while Caps Lock on for some reason Alt_L + KP_End Alt_L + KP_Insert Alt_L + KP_Left # Alt + 104 = h Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Right # Alt + 116 = t <- guess where this is going? Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Right # Alt + 116 = t <- is 'p' next? Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Down # Alt + 112 = p <- yep, it is an obscure way of typing 'http'. Alt_L + KP_Insert Alt_L + KP_Begin Alt_L + KP_Up # Alt + 058 = : <- http: Alt_L + KP_Insert Alt_L + KP_Left Alt_L + KP_Home # Alt + 047 = / <- http:/ Alt_L + KP_Insert Alt_L + KP_Left Alt_L + KP_Home # Alt + 047 = // <- http:// Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Begin # Alt + 115 = s <- where is this going? Alt_L + KP_End Alt_L + KP_Insert Alt_L + KP_End # Alt + 101 = e <- http://se ? Alt_L + KP_Insert Alt_L + KP_Prior Alt_L + KP_Prior # Alt + 099 = c <- secure? but not https? Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Home # Alt + 117 = u <- http://secu... Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Left # Alt + 114 = r <- http://secur... Alt_L + KP_End Alt_L + KP_Insert Alt_L + KP_End # Alt + 101 = e <- http://secure... Alt_L + KP_Insert Alt_L + KP_Left Alt_L + KP_Begin # Alt + 045 = - <-http://secure- Alt_L + KP_Insert Alt_L + KP_Prior Alt_L + KP_Prior # Alt + 099 = c <- http://secure-c Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Right # Alt + 116 = t <- http://secure-ct Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Prior # Alt + 119 = w <- http://secure-ctw Alt_L + KP_Insert Alt_L + KP_Left Alt_L + KP_Right # Alt + 046 = . <- http://secure-ctw. Alt_L + KP_Insert Alt_L + KP_Prior Alt_L + KP_Prior # Alt + 099 = c <- http://secure-ctw.c Alt_L + KP_End Alt_L + KP_End Alt_L + KP_End # Alt + 111 = o <- http://secure-ctw.co Alt_L + KP_End Alt_L + KP_Insert Alt_L + KP_Prior # Alt + 109 = m <- http://secure-ctw.com Alt_L + KP_Insert Alt_L + KP_Left Alt_L + KP_Right # Alt + 047 = / <- http://secure-ctw.com/ Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Down # Alt + 112 = p <- http://secure-ctw.com/p Alt_L + KP_End Alt_L + KP_End Alt_L + KP_Home # Alt + 117 = u <- http://secure-ctw.com/pu Return Caps_Lock # the end
The resultant http://secure-ctw.com/pu redirects to http://nz.rs-online.com/web/generalDisplay.html?id=tct .
For some reason they decided to use 3rd party redirection service, whose domain/URL is not much shorter than http://nz.rs-online.com.
The funny thing is they could have registered rs-tct.nz (or rstct.nz) for something like $30 and set-up redirect there. It smells of their marketing department stumbling in the dark.
The whole thing pretty pointless IMHO. Could have just sent a postcard with a QR Code and URL on it. Actually form environment point of view it is very wasteful.
I guess they are forcing dumbass Windows users to visit their page (who otherwise would not follow the link)…