The majority of social media users don’t realize hackers can attack them simply using the power of observation. People share personal photos on social media platforms all the time. You might set strong passwords and turn on the best security settings. You may even remain wary of accepting strangers’ friend requests. However, do you realize that cyber criminals can analyze seemingly irrelevant elements within a photo, or words within a caption, to piece together enough personal details about you to launch a convincing attack or scam?
Consider the Instagram post below. It may seem harmless, but if you take a closer look, it actually contains six minor details fraudsters could leverage to make their attack seem more enticing or legitimate.
Let’s put our black hats on and think like a hacker.
The photo appears to have been uploaded to a woman’s Instagram after she “caught” the subject gaming. You can assume there’s a good chance this man knows her well because she took a candid photo of him during a recreational activity. Doing a bit of investigation on other social media sites, you might find the man’s name. Once you have more information about him, you could craft a convincing phishing email to the woman, appearing to come from the man. A believable phishing email might convince the recipient to visit a malicious copy of a trusted website (in order to steal login credentials) or simply install malware using an exploit kit. Once we’ve identified the subject of the photo, we could also try phishing him using any information we have on the picture-taker to increase the likelihood of success.
The envelopes on the desk include a name and address, which you can easily use to identify the man in the photo. This address information might also help criminals steal his identity or guess his password recovery questions. Furthermore, the sender of each letter is clearly visible (two different banks). You can surmise the man has a relationship with these banks, which gives you specific targets for an attack. Once you identify potential answers to account recovery questions, you could attempt to gain access to the subject’s online banking accounts.
The cup on the desk shows a University of Arizona logo, so it isn’t crazy to assume that the man is either an alumnus or an avid fan. “What school did you attend?” is a common password recovery question. Attackers can search the school’s public records or call admissions and socially engineer them to confirm the man’s relationship to the school. You might also spoof a phishing email to appear as though it came from the school. This phishing email might include an attachment that looks like an updated transcript or billing request. Of course in reality, it’s a booby-trapped document hiding a ransomware dropper.
The Concert Ticket
People often hang on to concert tickets as a keepsake from a great show they attended. “What is your favorite band?” is another very common password recovery question. Again, the information on the ticket might help answer one of the security questions required to reset one of his account passwords. Smart criminals could also create imitation fan websites for the band, and send him a link to the site, which would actually front a malware delivery exploit kit.
The Sticky Note
The handwritten sticky note on the monitor looks like it could be the phone number of one of the man’s coworkers. You could easily use this number to identify his employer. Additionally, most companies use a predictable scheme of first and last name or initials for work email addresses. Knowing this, the note might help you determine the subject’s work email address as well. Now you have a concrete target for your phishing emails.
Photo’s EXIF Information
Most photos have something called exchangeable image file format (EXIF) data, which contains a lot of additional information about a photo, such as the date and time it was taken, what camera the photographer used, and perhaps the camera and lens settings. Worse yet, some cameras record GPS coordinates, showing where a photo was taken. Based on the contents of this picture, the GPS data likely would help you pinpoint either the man or woman’s home address. Obviously, this information helps you craft a more convincing phishing email or social engineering attack. Furthermore, if your target lives close by, you now know where to Wardrive and “sniff” information about their wireless network. Once you have those details, you can launch any number of wireless attacks, from an Evil Twin to a man-in-the-middle.
That summarizes the power of simple observation. With close attention to details, criminals can learn a lot about you from just a single public image. Think about how many photos you post to your online accounts. By simply sifting through public images, a hacker can build a pretty accurate dossier on a target, complete with key personal dates, information about friends and colleagues, pets’ names, and much more. In one way or another, attackers can use all this kind of information against you.
The moral of the story? Use common sense whenever posting anything to your social media accounts. Once you’ve got the filters just right and the emoji choices down, spend an extra minute or so before posting to make sure that nothing in a photo or caption gives away too much about you. Also, be selective about who you allow to follow you or see your pictures online. While it does take more work, you should also purge the EXIF data from photos you post publicly. You can find a number of free tools that help do this. Simply put, think before you post. Whether it’s a picture, a file or just text, consider exactly what you might be sharing before putting it anywhere it might go public.