Sooner or later, the default Windows configuration will refuse to autorun content on a strange flash drive, and this won't work. Unless, of course, the criminals have special USB units manufactured containing an active processor which uses DMA to probe and interfere with the host PC's memory. They could possibly use the same facilities they use to make fake ATM front panels to manufacture them. The units could even contain an empty, perfectly innocent flash drive to deflect suspicion; after all, there's no limit to how many devices something on the end of a USB connector can appear to be.
Flash drives are cheap. And I'm sure the Russian Mafia or whoever have access to chip fabbing plants and such they could use to knock out thousands of units containing a microcontroller and a quantity of Flash (some of which looks like a drive). And the design wouldn't be hard; the basic components (microcontroller cores, USB stacks and so on) are well known.
Or a buffer overflow exploit hidden in any number of file types. Porn, music, and excel spreadsheets; I'm sure most people would check what's there first.
It's a relatively expensive approach. I'm surprised that it has any appeal. I guess if you steal the flash drives...