Steganography: Hiding in Plain Sight — The Threat You’ve Never Heard Of

How hiding a malicious file inside an innocent one makes steganography a big danger: Internet Scambusters #898

Don’t let the word “stenography” make you think the term has nothing to do with you. Maybe it does.

Yes, it’s computer-speak, but what it does is simple. It’s a seemingly innocent payload that controls malware that’s already been installed on your computer.

The best way to deal with it is to render it useless by not letting the malware onto your PC in the first place, as we report in this week’s issue.

Let’s get started…

Steganography: Hiding in Plain Sight — The Threat You’ve Never Heard Of

It sounds like a scientific or technical term, which it is, but steganography can actually be a sinister piece of computer-speak that could land you in trouble.

In very simple terms, steganography is a trick that involves hiding one file inside another. More broadly, it refers to any type of information that’s hidden inside something that’s genuine and innocent looking.

For example, in the world of espionage, privacy, and secrecy, it can refer to the use of a hidden coded message inside a piece of normal looking text or art.

It can have a perfectly legitimate security role, for example, by hiding information that identifies a copyrighted document. There are multiple tools available on the Internet for actually using the technique.

But in the scammers’ handbook, it’s a technique for transferring malware instructions onto an already-infected computer without you seeing or suspecting anything. This way, it can activate malware or simply give it new orders.

Used in Music Files

According to the tech site ZDNet, crooks have just started using music files for this purpose. Fortunately, they’re not in the standard MP3 digital format most of us download for our listening pleasure. Yet!

Instead, they’re in a format known as WAV, which is still in very common use for some types of audio files.

In fact, steganography can be used in almost any type of file. It’s been around for a number of years and has been, and still is, mainly used by criminals to hide a malicious payload inside picture files (jpeg or .jpg formats).

Its value lies in the way it works.

Most computer security software is set up to identify and block files that are “executable” — capable of running like any regular computer program or app.

With “stego,” as it’s called, the file that your computer security software sees is “non-executable,” like a jpeg or WAV are. So, it’s more likely to be allowed through the security barrier. Only when it’s on board your PC does the crooked code emerge to begin its shady business.

According to security firm Symantec, who recently discovered the trick at work in WAV files, Russian crooks are using it to pass on information or instructions to computers that have already been infected with a virus.

Another security organization, Cylance, found evidence just a couple of weeks ago that scammers using botnets (networks of virus-infected PCs) have jumped in on the act.

In this case, they seem to be linked with crypto-mining in which victims’ computers are being used to search for virtual currencies, like Bitcoin. (See our report on cryptojacking for more on this — Cryptojacking Overtakes Ransomware as Number 1 Computer Threat)

Make It Useless

In the case of computer malware, you don’t need to know how steganography works, but you do need to know how you can best try to beat it. You probably can’t stop it, unless you’re a forensic scientist, but you can make it useless.

The first thing to know is that potentially any file you download may have been “steganographed,” so you should only download items from sites or people you know and trust.

Most importantly however, as the recent discoveries show, these malicious files are targeted at computers that have already been infected by malware. So, make sure you’re malware-free by installing good security software and keeping it up to date.

It’s not immediately clear if security software can detect an innocent, non-executable file that’s carrying a malicious payload. Probably not. So, it’s more important that there’s nothing for it to do when it arrives.

ZDNet says: “A proper way of dealing with steganography is… not dealing with it at all. Since stego is only used as a data transfer method, companies should be focusing on detecting the point of entry/infection of the malware that abuses steganography, or the execution of the unauthorized code spawned by the stego-laced files.”

The practice of steganography is actually very complex, which explains why it has not been in widespread use in the past. But that’s all about to change, as malware writers develop their expertise.

Alert of the Week

We wrote a few weeks ago about the rise in online romance and dating scams. The US Federal Trade Commission (FTC) has just confirmed this alarming trend by disclosing that victims handed over more than $200 million to romance scammers last year.

That’s 40% higher than in 2018 and a six-fold increase on the cost of scams just five years ago.

In just one recent case in Oregon this year, a victim was tricked into handing over his entire life savings of $200,000 in the belief he was dealing with a real romance partner.

As the FTC puts it: “It’s not true love if they ask for money.” Follow that warning and you’ll never fall victim to a romance scam.

Time to close today, but we’ll be back next week with another issue. See you then!