Home-Office Photos: A Ripe Cyberattack Vector

zoom bombing

Threat actors can use personal information gleaned from images to craft targeted scams, putting personal and corporate data at risk.

That photo that appears when someone disables his or her Zoom video, or those photos of a remote worker’s home office shared on Instagram may seem innocuous and playful. However, they could become ammunition for threat actors to launch targeted scams and put personal and critical data at risk, a cybersecurity researcher has warned.

Jason Nurse, an associate professor in cybersecurity at the University of Kent, and a visiting academic at the University of Oxford, cautioned that personal photos and information shared via various online platforms used by remote workers can expose not only the employee, but also corporate networks, to threats from savvy attackers who are looking to exploit personal data. He shared his thoughts in a post published Wednesday on Sophos Naked Security blog.

With more workers online than ever due to the COVID-19 pandemic, people have gotten so comfortable with sharing photos and other personal information online that they may not be aware of how it can be misused, Nurse said.

Moreover, the pandemic in general has been stressful for everyone as people try to juggle their everyday lives amid the disruption to daily routine, which means that people have their guard down more than ever when cyberattackers come calling.

“While the sharing of such photos may seem harmless and even a must-do at the time, the reality is that we are, once again, falling into the age-old trap of oversharing,” he wrote in the post. “We are forgetting to ask ourselves: What might a criminal or fraudster do with this information?”

The answer is quite a lot, Nurse surmised. That’s because the more a threat actor knows about a person, the more he or she and the company they are working for are vulnerable to attack, he said.

How Work-from-Home Photos Can Be Misused

Nurse posited several ways threat actors could misuse the information from the photos remote workers use on online — which are often shared with easy-to-track tags such as #WorkfromHome and #HomeOffice.

One is to make the workers themselves the targets of personalized scams that use their name or information gleaned from data they’re shared. for instance, a picture of a gift package from one’s company that shows a home address or reveals a birth date could be the tip of a spear-phish.

“Let’s say you are emailed an ‘e-gift card’ on your actual birthday by a long-lost friend looking to reconnect,” Nurse said. “Many people would be more likely than usual to open the gift-card attachment because the date is correct, unaware that it is actually a piece of malware or ransomware, and that the fraudster knows your birthday because it was posted online months earlier.”

Attackers also use personal information obtained by people’s online activity and photos to guess passwords to break into their accounts, which also expose them to risk not only to data theft, but also potential financial consequences.

There’s also plenty in the backgrounds of video calls and pictures for threat actors to exploit, Nurse said. For instance, people often share images of their work set-ups that appear harmless – but they may have a pet working next to their computer or there may be evidence of a child being home-schooled online. This is a treasure trove of info that can be used to guess passwords.

Photos and videos posted by home workers online also can expose corporate data and therefore the corporate networks to which they’re connected to, he added.

“Analysis of images of home-working environments has revealed work email inboxes, internal emails, names of individuals in emails, private web pages, potentially sensitive internal business correspondence, software installed on computers and internal identification numbers of devices,” he said.

An attacker can use this info to craft an email appearing to be a known supplier or business contact to dupe targets into downloading malware — which can then have a ripple effect on the corporate network, Nurse suggested. Or, a threat actor could impersonate someone from a company’s IT department and ask them to initiate what seems like a typical update, but which instead is nefarious activity, he said.

In all, overshared work-from-home backgrounds and photos are just part of the well-documented phenomenon of how businesses have struggled with the transition to having an almost entirely online workforce during the pandemic, with security suffering and thus already providing a wider playing field for attackers.

How to Protect a Work-from-Home Space

The good news is, it’s easy to avoid falling into the trap of oversharing and thus threat exposure when working remotely, by following some simple advice, Nurse said.

Remote workers should always keep in mind what’s in the background of photos or video-conference calls, and even consider using a virtual background when conducting the latter. People can also blur the background of video-related activity to obscure it so potential attackers can’t see anything clearly enough to exploit it, he said.

And while people working alone in relative solitude at home may be tempted to share their remote-working set-up on various social-media platforms using a fun and clever hashtag, Nurse advised against this behavior — it’s an easy way to protect personal data from being used against them.


Suggested articles