By Jason Nurse, Sophos
April 7 2021: Most of us now use online platforms routinely – in some countries, almost exclusively – to engage with work colleagues, friends, family and loved ones.
One worrying trend is the posting online of photos of home-working setups, video calls, and virtual meetings.
This trend has coined its own series of hashtags including #WorkFromHome, #WorkingFromHome, #RemoteWork, #HomeOffice. Others allude to the app used, such as #Zoom and #MSTeams.
While the sharing of such photos may seem harmless and even a must-do at the time, the reality is that we are, once again, falling into the age-old trap of oversharing online and overlooking the risks.|
We are forgetting to ask ourselves: what might a criminal or fraudster do with this information?|
Fraudsters, scammers and other cybercriminals love when we share information openly online about our lives, personal or work-related.
These insights make their jobs of targeting us substantially easier, while the ongoing pandemic – a situation where people are overly anxious, stressed, away from support groups, and balancing work and family life in the same physical space – increases our vulnerability to these attacks.
Opening yourself to targeted scams
Scams are a preferred form of attack for many criminals. They are often simple to launch and, if well-executed, can have relatively good success rates.|
As we have become more aware of scams, criminals have had to become more cunning.
One way they have sought to boost success rates is to personalise scams – think spearphishing-type attacks.|
No longer do we see “Dear user”, but rather “Dear [your name]”. And, scams now even use your old passwords within their messages to you.
These personal details are often gathered from your online presence and old data breaches – think of it as open-source intelligence (OSINT) gathering focused on you. Its purpose is to increase the believability of their tricks, and it works!
Now we are also leaking personal information through home-working photos and visuals – even that seemingly-harmless background shown during video calls.
Beware revealing more than you planned in your working from home photos
Family members (in person or photo form) often feature in the background of video calls, along with your hobbies, favourite sports teams and television shows, and other personal insights.
Photos tagged with #WorkFromHome, #WorkingFromHome, #HomeOffice have also revealed:
- Birthday parties (celebrated on Zoom or Teams), thereby exposing birthdates.
- Home addresses, through photos revealing addresses on Amazon parcels or postal mail.
- Names of family members, children and pets.
The variety of information that may be exposed in such contexts is endless and is only limited by what will fit into your home office (be it a bedroom, living room, or actual office).
Each of these pieces of information stand to put you more at risk to scams if attained by the wrong individual
From research, we know, for instance, that passwords are often created based on favorite teams, music artists, hobbies, and children and pet names. Therefore, this information could easily be used in password guessing attacks.Or, let’s say you are emailed an ‘e-gift card’ on your actual birthday by a long-lost friend looking to reconnect. Many people would be more likely than usual to open the gift card attachment because the date is correct, unaware that it is actually a piece of malware or ransomware, and that the fraudster knows your birthday because it was posted online months earlier.
You’re leaking corporate data
Businesses have struggled to keep pace with how quickly they have had to adopt digital technologies over the last year. And securing the remote workforce is still very much an ongoing uphill battle for many.
Along with the more typical secure remote working considerations such as VPNs and managed credentials, you also need to worry about oversharing – this time of corporate data.
Analysis of images of home-working environments has revealed work email inboxes, internal emails, names of individuals in emails, private web pages, potentially sensitive internal business correspondence, software installed on computers, and internal identification numbers of devices.
In many cases this information was in the background of video calls or photos of pets near/on keyboards, in the background of children being home-schooled, or within snaps of a nice home-made lunch. Any of these digital footprints could be used in a corporate hack.
Sensitive data in the background of your cute pet photos is a gift to crooks.
For example, an attacker may contact an employee under the guise of a known supplier, drawing on information gathered from an email.|
Or, they may get in touch with the employee, pretending to be from the IT department and with a request that the staff member update key software that only internal employees would (should!) be aware of.
In both cases, employees may be tricked into providing more sensitive files or data, directed to download malware, or exploited through a range of other attacks.|There have been similar issues with numerous data breaches in the past where unsecured corporate servers online have leaked data, including millions of business and customer records.
Read the original Sophos blog here