CyberScout is the nation’s premier consultative provider of identity and data risk management, resolution and education services.

How a Picture Could Rob You Blind

How a Picture Could Rob You Blind
March 9, 2018

Unless you live in a pineapple under the sea with a talking sponge, you’re probably familiar with the never-ending parade of cute animal pictures sent by text and email—friend to friend, email list to subscriber—and everywhere you look on social media. Hackers are counting on that.

You’re no fool. You keep current on the news—specifically with regard to cyber security. You’ve seen the warnings about the dangers of phishing, and you are careful. You’ve heard about the other ish-ings: Smishing (phishing attacks via SMS) and vishing (voice cons over the phone, voice mail or VoIP).

In other words, you know the basics when it comes to cyber-hygiene. You may even believe it’s unlikely that a hacker will weasel his or her way into your life, but you are wrong to think that.

The New Crypto-hack: Image Steganography
Digital images can contain hidden information—executable programs called malware—and this means that hackers can use those cute kitten images to access your connected devices. When that happens, the gates to your kingdom—virtual, digital and actual—will be flung open to all stripe of criminal and con artist looking to cash your tax refund check, drain your available credit, steal your healthcare, commit crimes in your name—indeed, the depredations are as limitless as the number of intelligent louts there are “out there.”

So let’s talk about this new danger, which falls under a category we might call crypto-hacks—but not of the blockchain (Bitcoin) variety.

Assuming you don’t live in the same neighborhood as Spongebob, and you go online from time to time, you’ve probably also noticed a tiny image of whatever site you’re visiting that displays in the tab or next to the URL window in your browser. (It’s called a favicon.)

Now ponder this if you will: Favicons download automatically. Extra points if you’ve already guessed what I’m going to say next: Those automatically downloaded 16 x 16-pixel images can be weaponized by hackers—specifically, they can be programmed to download malware onto your computer. They can even update that malware after an initial attack is successful.

Steganography is the art and science of hiding information. It is an old form of encryption that has found a new purpose in the hacker community. If it seems like Greek to you, that’s because it is: the translation of steganography from Greek is roughly, “secret writing.” It refers to any process that hides a message in an object in such a way that an observer will not see it.

You may have seen older versions of this kind of cryptography—the methods date back 2,500 years—including spy film favorites like the Cardan grille, where a sheet of paper, cloth or a board with holes cut into it is placed over a page of text to reveal the “hidden” message.

If you practice tight security in your digital life, you may use PGP encryption when sending email—this too is a form of steganography. The art, craft and technology of hiding messages is nothing new, but the way it is being implemented specifically with digital images is, and it could get you “got.”

With image steganography, the attack methods are numerous and increasing. In addition to the favicon exploit, there are attacks via banner, there are two-punch assaults delivered first via phishing emails that carry only the capacity to unload the second punch in the form of malware hidden in an image, and there are doubtless exploits that have not yet been discovered by the good guys.

How to Stay Safe
The common wisdom about clicking on attachments and the like is that you have to click on them to run into any trouble. Malware is everywhere these days, and if you allow curiosity to put you on the wrong side of a hacker’s ploy, the consequences can be dire.

There is a special kind of terror associated with a hack that executes automatically, such as the favicon approach discussed here.

As ever, though, the way to stay safe is stay vigilant, and to stick to the known destinations. Whenever possible, avoid sketchy sites and travel on well-maintained digital roads. The key to it all: You are your best shot at staying safe.

Adam Levin is chairman and founder of CyberScout and co-founder of, where this article originally appeared.

Offer 24/7 CyberScout Protection

CyberScout's partnership options help you safeguard the identity and privacy of your policyholders, customers, members and employees. Discover how a customized program can help build brand loyalty, customer retention, and quickly generate long-term recurring revenue.

Get Started