Digital photos demand a second look as picture-stealing threat develops

How many image files do you have on your computer? Would you be happy to send them all to a stranger? How about the photos on your smartphone? These are some of the questions I pondered this past weekend in light of several seemingly unrelated events from the previous week. (As a random data point, the number of JPG files on the MacBook Pro that I use as my personal computer is currently 33,479.)

Smartphone photos targeted?Last Monday we saw Trend Micro’s blog post about malware that steals pictures from infected hard drives (tip of the hat to Trend’s Raymart Paraiso). Of course, malware with the ability to ship clandestine copies of files to remote servers under the control of a scam artist is not new. As Fahmida Rashid noted in PC Magazine’s coverage on Tuesday “there have been malware targeting specific file formats in the past.” Indeed, Fahmida cites as an example the ACAD/Medre worm uncovered by ESET earlier this year.

However, automated data theft code targeting JPG files, which the malware that Trend dubbed Pixsteal-A-Trojan actually does, is somewhat novel. And it may be a wake-up call to an increasingly snap-happy world. (ESET products detect this threat as Win32/DataStealer.E and protect against it.)

How “snap-happy” is the world these days? One aspect of Trend’s description of this data stealer which caught my eye was that it sends out “the first 20,000 files” that it finds. Right away I felt the urge to check how many image files were on my own computer. The number was way higher than 20,000. Why so many? One culprit is my iPhone.

There were close to 1,000 photos just sitting on my iPhone a few days ago, until I started deleting the boring ones, such as old shopping lists captured from the whiteboard on my fridge. But of course, many of these, and thousands more, still live on in folders on my laptop due to previous syncing of the phone. So what would a scam artist or cyber-criminal want with my pictures?

The Safety Net program of the San Diego Police FoundationThere are several possible answers, one of which was highlighted last Thursday when I attended a meeting about the San Diego Police Foundation‘s SafetyNet program, of which ESET is a sponsor. The meeting was hosted by another sponsor, our local NBC station, and the program is designed to help parents “Keep Kids Safe Online!” through the Smart Cyber Choices initiative.

The meeting heard a moving presentation from former news anchor Susan Taylor about the effects of cyber-bullying. One topic which came up in several of the video testimonials recorded by teenagers who had been bullied via digital media was sexting.

Here’s how the Concise Oxford English Dictionary described sexting when it added the word in 2010:

Sexting (noun, informal): The sending of sexually explicit photographs or messages via mobile phone: “like it or not, sexting is part of growing up in 2010″

A closely related phenomenon is something you might call sex-posts, sexually explicit photographs posted to social media sites. Whatever you call these practices, they are fraught with risks, not least of which is the use of the shared images for purposes other than those intended by the creator of the image. This got me thinking about picture stealing malware and I went back to Fahmida Rashid’s article. She had already made the connection:

“The Internet Watch Foundation found in a recent survey that 88 percent of explicit or suggestive images posted by young people of themselves on social networking sites later showed up on other “parasite websites,” according to a report by the Guardian.”

If you are raising kids today, the Guardian report makes for shocking reading: “Children and young people are posting thousands of sexually explicit images of themselves and their peers online, which are then being stolen by porn websites, according to a leading internet safety organisation.” There is a lot that can be said about this, like: Talk to your kids today and tell them not to engage in sexting or any other sharing of sexually explicit images. However, if we focus on the cybercrime connection, then it seems clear that a market for stolen images of this nature exists. In that context, malware that goes and steals images at the source, rather than waiting for people to post them on social media sites, clearly has potential as a money-maker.

The effects on the individuals victimized by this type of data theft can be devastating. Here is one example from the Internet Watch Foundation, cited by the Guardian:

“One girl found explicit photos of herself online after her phone was stolen, while another admitted to attempting suicide after losing control of sexually explicit images: “I came to regret posting photographs of myself naively on the internet and tried to forget about it, but strangers recognised me from the photographs and made lewd remarks at school,” she said. “I endured so much bullying because of this photograph and the others … I was eventually admitted for severe depression and was treated for a suicide attempt.””

We will have more to say about the risks inherent in digital photos, particularly in the light of malware developments, but for now some thoughts about basic risk assessment and defensive measures would seem to be the order of the day:

1. Everyone, regardless of age, should THINK before even taking a sexually explicit photo with a digital camera. A digital image is entirely different from a traditional photograph. Not only does a digital image lack the natural filter imposed by the need to have a stranger at a photo lab chemically develop the image, it can be copied and transmitted in seconds.

2. Think twice, make that three times, before sharing an explicit image on social media, via email, or through SMS.

3. Once it is out there it is never coming back. Once you share you lose control. Even if you are a movie star who can afford to pay millions of dollars to a team of attorneys, you will find it almost impossible to scrub an image from the Internet. And scrubbing it from the minds of those who have already seen it is definitely impossible.

4. What happens on your phone does not stay on your phone. Phones are synched with computers. Phones store files in the cloud. Phones and computers can be hacked or stolen. Digital devices can be attacked by malware, even without an internet connection.

5. Vigilance and layered defense are the order of the day. Strong passwords on accounts and devices. Different passwords for different accounts and devices. And a good antivirus program that is regularly updated.

Note: Bob Hansen from NBC News just covered this story and there is likely to be more coverage here on the blog. For one thing, the risks of digital photos don’t end with teenagers and nudity. Think about photos of checks, passwords, home interiors, new purchases, and so on. And stay tuned.

Stephen Cobb
ESET Security Expert

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s