life, technology

Your Cat Videos May be Giving Away Sensitive Data to Hackers, and You Didn’t Even Know it.

According to a new security report , scammers and cyber attackers worldwide are scraping social media posts for data that may seem irrelevant, but are actually key personal identifiers.

Using social engineering and scraping information off the open web, hackers are targeting unsuspecting users
These include personally identifiable information posted casually by users on social media
Such tactics are being used by cyber criminals to send targeted mails with malware payloads
Your personal cat videos, stay at home birthday party photos and casual snaps of yet another day spent under Covid-19 restrictions may not just be what meets the eye.

casual social media posts made by many of us staying at home appear to be leaking key identifiers on to the open cyber space. While such things, such as you celebrating your birthday party, sharing your adoration for the puppy whom you rescued, or even something as trivial as a mid-work snap to break the boredom may not have anything sensitive at all, such data can be put together by cyber attackers, scammers and hackers to form a pool of identifiable data, all linked to you. This, in turn, is helping threat actors create targeted cyber advances and dupe individuals, in a spree of advanced online scams that no longer remain simple.

How trivial is trivial data?

“Scams are a preferred form of attack for many criminals. They are often simple to launch and, if well-executed, can have relatively good success rates. As we have become more aware of scams, criminals have had to become more cunning. One way they have sought to boost success rates is to personalise scams – think spear phishing-type attacks. No longer do we see “Dear user”, but rather “Dear [your name]”. And, scams now even use your old passwords within their messages to you,”

Such incidents aren’t particularly unprecedented – cyber crime has always evolved to keep pace with what’s topical, and in today’s world, this has a far greater reflection. For instance, numerous reports highlighted the now-well documented surge in Covid-19 related scams and spear phishing efforts during the early months of the global pandemic. As the times evolved, attackers adapted to target the Covid-19 contact tracing and vaccine efforts, and subsequently, more advanced tasks too.

But as it turns out, one of the key signifiers of advanced cyber threats were born out of casual social media posts, including very basic stuff such as a photo of your first Zoom meeting. Thanks to AI image resurrection tools, even compressed images shared on social media could be refurbished to reveal details – sometimes highly sensitive in nature. Such social media posts, as the Sophos report claims, have included personal details under popular hashtags. As it states, “Photos tagged with WorkFromHome, WorkingFromHome, HomeOffice have also revealed birthday parties (celebrated on Zoom or Teams), thereby exposing birth dates; home addresses through photos revealing addresses on Amazon parcels or postal mail; and names of family members, children and pets.”

The risks that they represent.

To put things in perspective, such identifiable data can be stitched together by attackers to contact you via email, pretending to be a work acquaintance – or from social engineering, a friend whom you have not been in touch with for a while. These attacks can, in one of the methods, include emails with attachments that directly address you. All it takes is to pique a target’s interest, enough to make them download the attachment sent via email. Once downloaded, the attachments can use one of the thousands of malware available for nominal cost, thereby handing attackers a direct route to access your files on your work PC.

For example, an attacker may contact an employee under the guise of a known supplier, drawing on information gathered from an email. Or, they may get in touch with the employee, pretending to be from the IT department and with a request that the staff member update key software that only internal employees would (should!) be aware of.

“In both cases, employees may be tricked into providing more sensitive files or data, directed to download malware, or exploited through a range of other attacks. There have been similar issues with numerous data breaches in the past where unsecured corporate servers online have leaked data, including millions of business and customer records.

The perils of casual social media posts.

While such risks may not be apparent at first,it establishes the latest favourite tactic used by cyber attackers on the open internet – social engineering. Such processes can help malicious users to create a digital map of yours by using your social media posts, and use this data to gain your trust and trick you into downloading ransomware, malware and stalkerware payloads. In extreme cases, such tactics are being used to target celebrities and personalities to infect them with spyware.

As general security advice, users are urged to not download any attachment from emails where they are not personally confident of the sender. For video conferences, users are advised to use virtual or neutral backgrounds that do not have identifiable details, and in general, social media posts are better kept to the least possible.


How to protect your privacy and stay secure on Instagram.

Instagram is a great way to share photos with friends, family, and the rest of the world, but it could also open you up to privacy and security risks. It doesn’t have to be that way, though. It’s easy to protect yourself and still get the most out of what Instagram has to offer.

Here are five ways to keep your account safe. There are separate instructions for the web and for mobile apps and notations where the iOS and Android apps differ.

Make your account private
Take a simple privacy step by turning your public account into a private one. This will let you share your photos with a select group of people while keeping them hidden from everyone else. That way, only people you really care about will be aware of your activities.

On mobile
Go to your profile by tapping the “person” icon on the lower-right corner of the screen. Swipe to the left and tap the Settings gear icon that appears.
Select “Privacy and Security” then “Account Privacy.”
Toggle “Private Account” on.

On the web
Click on the “person” icon in the upper-right corner, and then look for the gear icon next to your name.
Select “Privacy and Security” then “Account Privacy.”
Click on the checkbox for Private Account.
From now on, only your existing followers will be able to see your posts. Anyone else will have to send a follow request to you first.

Block specific followers
If one of your followers becomes annoying (or worse), you can also block specific followers from seeing your posts. (Don’t worry: followers aren’t notified that you’ve blocked them.)

On mobile
Tap “Followers” at the top of the main mobile menu.
Search for the follower you want to block.
If you’re using iOS, tap the three horizontal dots next to their name. If you’re using Android, tap the three vertical dots. Select “Remove.”
On the web
Click on the person icon and then on “Followers.”
Search for the follower you want to block.
Click on that person’s icon, then look for the three horizontal dots to the right of their name. Select “Block this user.”

Turn on two-factor authentication
Worried that someone will log in to your Instagram account and pose as you? Turn on two-factor authentication, which will send you a text message with an authentication code every time you log in to Instagram on a new device. You’ll then have to type in the code to complete logging in.

On mobile
Go to “Settings” > “Privacy and Security” > “Two-Factor Authentication” > “Get Started.”
Toggle on “Text Message.”
If you’d prefer to instead use an authentication app like Google Authenticator, toggle on “Authentication App” instead. The app will see if you already have one installed. If you don’t, it will suggest one.
On the web
Go to the person icon, then click on the gear icon.
Click on “Privacy and Security” > “Edit Two-Factor Authentication Setting”
Check “Text Message.” If you have an authentication app available, you will also be able to check “Use Authentication App.” Otherwise, it will be grayed out.

Prevent third-party apps from getting your data.

There are tons of third-party apps that ask you to get access to your Instagram data, like an app that schedules Instagram posts for you. So before agreeing to let one access your data, factor in that the more companies that have private information about you, the more likely it is that the information can be misused or stolen. Even more important: make sure that you only grant Instagram access to apps that truly have a need for it.

To revoke access to apps that already have it, you have to use the web interface; you can’t do this through the mobile app.

Log in to Instagram on a browser on a phone or computer, and click or tap the person icon on the upper-right corner of the screen.
Click or tap on the gear icon.
Click on “Authorized Apps.” (Look for it on the left-hand menu.) You’ll see a list of apps that have been authorized to access Instagram.
Click on the “Revoke Access” button for any app that you want to unauthorize, and then select “Yes.”

Check if someone has hacked your account
Worried that someone has hacked your Instagram account? You can check by viewing your past account activity, including logins, logouts, changing a password, and more.

Using the mobile app, go to “Settings” > “Privacy and Security” > “Access Data.” On the web, tap the “person” icon in the upper-right of the screen. Click the gear icon, and select “Privacy and Security” > “View Account Data.”
You’ll come to an info page that has a great deal of data on how your account has been used. You can click any category to get more information, such as “Account privacy changes,” “Logins,” “Logouts,” “Hashtags you follow,” and so on.
Pay special attention to “Account privacy changes,” “Password changes,” “Logins,” “Logouts,” and “Stories Activity.” If you see anything that’s unfamiliar, it may mean that someone else is using your account. Immediately change your password to lock them out.