life, technology

Your Cat Videos May be Giving Away Sensitive Data to Hackers, and You Didn’t Even Know it.

According to a new security report , scammers and cyber attackers worldwide are scraping social media posts for data that may seem irrelevant, but are actually key personal identifiers.

Using social engineering and scraping information off the open web, hackers are targeting unsuspecting users
These include personally identifiable information posted casually by users on social media
Such tactics are being used by cyber criminals to send targeted mails with malware payloads
Your personal cat videos, stay at home birthday party photos and casual snaps of yet another day spent under Covid-19 restrictions may not just be what meets the eye.

casual social media posts made by many of us staying at home appear to be leaking key identifiers on to the open cyber space. While such things, such as you celebrating your birthday party, sharing your adoration for the puppy whom you rescued, or even something as trivial as a mid-work snap to break the boredom may not have anything sensitive at all, such data can be put together by cyber attackers, scammers and hackers to form a pool of identifiable data, all linked to you. This, in turn, is helping threat actors create targeted cyber advances and dupe individuals, in a spree of advanced online scams that no longer remain simple.

How trivial is trivial data?

“Scams are a preferred form of attack for many criminals. They are often simple to launch and, if well-executed, can have relatively good success rates. As we have become more aware of scams, criminals have had to become more cunning. One way they have sought to boost success rates is to personalise scams – think spear phishing-type attacks. No longer do we see “Dear user”, but rather “Dear [your name]”. And, scams now even use your old passwords within their messages to you,”

Such incidents aren’t particularly unprecedented – cyber crime has always evolved to keep pace with what’s topical, and in today’s world, this has a far greater reflection. For instance, numerous reports highlighted the now-well documented surge in Covid-19 related scams and spear phishing efforts during the early months of the global pandemic. As the times evolved, attackers adapted to target the Covid-19 contact tracing and vaccine efforts, and subsequently, more advanced tasks too.

But as it turns out, one of the key signifiers of advanced cyber threats were born out of casual social media posts, including very basic stuff such as a photo of your first Zoom meeting. Thanks to AI image resurrection tools, even compressed images shared on social media could be refurbished to reveal details – sometimes highly sensitive in nature. Such social media posts, as the Sophos report claims, have included personal details under popular hashtags. As it states, “Photos tagged with WorkFromHome, WorkingFromHome, HomeOffice have also revealed birthday parties (celebrated on Zoom or Teams), thereby exposing birth dates; home addresses through photos revealing addresses on Amazon parcels or postal mail; and names of family members, children and pets.”

The risks that they represent.

To put things in perspective, such identifiable data can be stitched together by attackers to contact you via email, pretending to be a work acquaintance – or from social engineering, a friend whom you have not been in touch with for a while. These attacks can, in one of the methods, include emails with attachments that directly address you. All it takes is to pique a target’s interest, enough to make them download the attachment sent via email. Once downloaded, the attachments can use one of the thousands of malware available for nominal cost, thereby handing attackers a direct route to access your files on your work PC.

For example, an attacker may contact an employee under the guise of a known supplier, drawing on information gathered from an email. Or, they may get in touch with the employee, pretending to be from the IT department and with a request that the staff member update key software that only internal employees would (should!) be aware of.

“In both cases, employees may be tricked into providing more sensitive files or data, directed to download malware, or exploited through a range of other attacks. There have been similar issues with numerous data breaches in the past where unsecured corporate servers online have leaked data, including millions of business and customer records.

The perils of casual social media posts.

While such risks may not be apparent at first,it establishes the latest favourite tactic used by cyber attackers on the open internet – social engineering. Such processes can help malicious users to create a digital map of yours by using your social media posts, and use this data to gain your trust and trick you into downloading ransomware, malware and stalkerware payloads. In extreme cases, such tactics are being used to target celebrities and personalities to infect them with spyware.

As general security advice, users are urged to not download any attachment from emails where they are not personally confident of the sender. For video conferences, users are advised to use virtual or neutral backgrounds that do not have identifiable details, and in general, social media posts are better kept to the least possible.