Stegobot steals passwords from Facebook photos

A report in New Scientist magazine this week identifies a new threat to your information security, although it is unclear if this is in the wild yet.

In the article, researchers created software (a “bot”) that extracted sensitive user data (such as banking passwords or credit card numbers) and then hid this inside a picture file which was then uploaded to Facebook. Once on the social networking site it moves from you to you friends, to their friends until it eventually reaches the “botmaster.” This process is assisted by the fact that as your friends view your Facebook page, the pictures are automatically downloaded in the background assisting the bot to spread.

While this propagation method relies on the concept that everyone is, eventually, linked to everyone else this is still quite cumbersome and, in the wild at least, there are better ways for hackers to get access to your data.

The greatest concern here is that this threat is virtually undetectable and it is unclear if any anti-virus or anti-malware packages will ever be able to defend against it. However, it is a slow method and it would only ever be possible for small amounts of data to be sent in each picture.

As an estimate, it could hide around 50kilobytes of data in a normal camera-phone photo, so the risk here is not that you will lose large amounts of intellectual property (IP) but that if the bot is linked to another attack, it might be possible for it to capture your internet banking passwords and credit card numbers.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.