Remember the good ol' days, when all that we had to worry about was being phished via our own email inboxes? It's a dangerous new world—malware lurks unseen everywhere, and even something as simple as opening up the wrong image online might be enough to put you and your device at risk.
But how can malware hide in image metadata? How can you avoid being targeted by scammers?
Hidden Malware in Metadata: What Is Going On?
Reports of Trojan profile pictures on Slack, Discord, WooCommerce, and Steam have been cropping up, all bearing dangerous hidden code; the image acts as a vessel, conveying the malware without necessarily being "infected" itself.
These attacks are able to reach victims through a number of supposedly secure channels, all through metadata.
Cybercriminals are able to catch a ride on something like a user's profile picture, slipping past authorities covertly. This is really difficult to detect without digging into every single image uploaded to a given server.
Malware in Images: How Is That Even Possible?
Images online may sometimes harbor dangerous malware. It's not always easy to pick up, even with EXIF analyzation software such as Jeffrey's Image Metadata Viewer. You need to know what you're looking for, and the average user doesn't always have the background or the know-how.
In one example from GDATA, a JPEG meme is shown exhibiting a "bad length" for its ICC profile after being examined with an EXIF tool. Ordinarily, this is where the output standard for the image would be found. It's been replaced by encrypted JavaScript malware.
After making it to you through one of the websites mentioned previously, this on-board malware requires something on your turf in order to extract itself. If you're being targeted, this downloader may come to you in the form of an email attachment or through a malicious web app.
The photographers out there are probably thinking: who even comes up with this stuff? All's fair in love, war, and hacking.
How to Avoid Getting Hacked By Metadata Malware
The obvious answer would be to avoid using any of the platforms where these types of attacks appear to be common. What else can you do to stay on the safe side?
1. Never Download Anything Suspicious
Don't download anything you're not sure about. This is doubly true if the person who sent it isn't somebody that you know.
In theory, you're safe as long as you never copy over any of the execution software that goes along with these images to your computer.
2. Scrutinize the Unfamiliar
We're not saying that you shouldn't consider an app or site that you've never used before. All that we're saying is that if something feels wrong, you should trust your gut.
Try to stay away from websites that look shoddy, slapdash, or superficial, and avoid any forms, pop-ups, or downloads therein if you do find yourself somewhere seedy.
3. Avoid Inputting Personal Data on Your Devices
If a device can log a keystroke, everything that you do becomes data that others can collect. Your credit card numbers, your PIN number, your social security number, and all of your usernames and passwords are fair game, every single time you type them out.
This problem, naturally, can be difficult to avoid—you need to scan your devices with a security suite to make sure you're not infected, and use two-factor authentication whenever you can.
4. Invest in the Right Antivirus Software
When in doubt, it never hurts to enlist some help from the pros. Many companies offer software packages that'll scan each download, check your computer regularly for malware, and even stop you from visiting sites that appear to be less that reputable from the back-end. Some antiviruses are even free!
Malicious Metadata: Take My Life, Please
The ingenuity of this tactic, admittedly, is inspired. In many cases, you won't even know that it's happening to you until it's already too late.
You'll need to keep your eyes and ears open, especially when inviting a new brand or service into your inner circle. It's always better to be safe than sorry.