Sure we are all professionals now, but looking back into your childhood, I’d imagine you can recall a time when you, a sibling or one of your friends wanted to play detective or even pretended to be uncover spy agents. You may even have been blessed to own a super cool invisible ink marker so that only those in your trusted circle would be able to decode your secret “invisible” messages. Or better yet, maybe you had the coolest parents ever that played along and helped you make your own seemingly unlimited supply of invisible ink by combining a little water and lemon juice. (For those who aren’t aware of this little trick, the lemon juice and water solution appears clear on paper, however, due to oxidation the liquid quickly turns brown if heated, thus revealing the secret message.) Try it!
While playing spy-agent as children (for all practical purposes) was a harmless and fun activity to pass time, there is a new, much more serious form of steganography (an ancient practice, dating back to 1499, of transmitting a message in a hidden form) the can be exploited in today’s modern Internet world. The topic has resurfaced thanks to technique coined “Stegosploit” developed by Saumil Shah, a security researcher from India and who recently presented the new technique at the Hack in the Box Conference in Amsterdam earlier last month.
What is Stegosploit?
Stegosploit is the latest trick to be turned and exploited by cybercriminals to hide undesirable or malicious code inside a picture’s pixels (single points of illumination on a display screen, one of many from which an image or graphic is created). In order words, Shah has discovered a new way of using steganography to get malicious code injected inside a graphic’s pixels, thus providing the ability to get malware downloaded to your system simply by you viewing (and nothing else!) a picture online. And just like the child’s play of blank white paper with no signs of lemon juice until placed under heat, the viewed online image looks no different than a normal image so there would be no way to tell the difference from plain sight. This new discovery should surely have all of us thinking twice before clicking on a link from a friend sharing a gorgeous Spring flower, a record breaking fish or a jaw dropping rainbow.
This poses a serious risk to all computer users. Those at greatest risk to fall victim to the Stegosploit are users who are running older and unpatched Internet browsers (i.e. Internet Explorer). Luckily, there aren’t any confirmed reports of this technique being used in-the-wild. However, with the possibility of the Stegosploit now being made known, it may just be a matter of time.
I suggest three simple steps to avoid falling victim to Stegosploit or similar techniques in the future:
1. Visit well known websites when shopping, surfing or researching a topic.
Furthermore, go to the reputable website by typing in the web address directly in to the browser instead of searching for it on Google.
2. Maintain regular operating system updates and updates for 3rd party software, especially Internet browsers.
3. Make sure that you have strong antivirus software installed and that its’ virus database files are up-to-date.
Playing detective as a child was fun, but it sounds cumbersome to think we have to be on our guard every time we click an image online. However, informed users will be the safest ones online, and you heard it here first. Stegosploit is not child’s play, and as with any vulnerability, there will be a cost to you: whether it’s time, functionality or even monetarily. As cybercriminals get more (notoriously) creative with their hacking, we must train ourselves to be on guard for their mature shenanigans. Think of it as a “grown-up” spy game, but good news-you are not alone—Thirtyseven4 is playing on your team!