by Dr Simon Wiseman, Chief Technology Officer

Steganography and the rise of invisible financial crime

Banks and financial companies are targets of coordinated cyber-attacks as highlighted in the report by the Financial Times.

Hackers are increasingly using a new technique called steganography to conceal malicious code and get valuable data past security scanners and firewalls. Now more than ever, it is crucial for companies to re-evaluate the way they protect their data.

Dr Simon Wiseman, CTO of Deep Secure explains how hackers use this method and the ways it can be prevented or rather eliminated completely.

How is the data attacked?

A workstation on the bank network begins to poll Twitter searching for a pre-defined hashtag. When it spots the hashtag on the Twitter site, it downloads the associated image from the post. This seemingly innocuous event is actually the opening of a command and control channel that the cyber-criminal will use to infiltrate the organisation further and commit a financial crime on an industrial scale.

From the initial compromise to the final exfiltration of funds, the crime is concealed in superficially harmless images using a technique called steganography. It’s a classic e-heist, with a twist. It evades detection completely and that’s the problem the world’s banking and financial institutions are facing.

What is steganography?

Steganography from (Greek steganos, or “covered,” and graphie, or “writing”) is the hiding of a secret message within an ordinary message and the extraction of it at its destination. There are many ways of achieving this which cyber-trespassers use to their advantage. To take one example, hidden content could be encoded in an image using subtly different shades of colour – invisible to the naked eye – that when decoded reveal an entire customer database. Put the original and the compromised image side-by-side and one would not tell them apart, but the latter is worth millions.

How big is the problem?

Unlike cryptography where the presence of some concealed content can be detected but not understood, steganography makes it impossible to detect the presence of hidden content. That’s what makes it such a threat. Steganography is not new and has been used to conceal data for years. But it is the increasing use of image steganography as a vector for the infiltration of malware and/or the exfiltration of valuable data from a protected network that is worrying.

The popularity of image steganography amongst cyber-attackers is on the rise – malware exploit kits and malware-as-a-service offerings now include steganography as standard – and the reason for this is very simple: image steganography is easy to implement and virtually undetectable, making it highly attractive. After all, why would organised crime be bothered playing cat and mouse with cyber-defences anymore when they can move to an easier method?

Combatting an undetectable financial crime

While some reasonably amateurish types of concealment using steganography can be detected (albeit at the expense of a lot of false alarms), the professional cyber-invader is using image steganography in a way that is completely invisible to both the eye and to analysis.

Of course, businesses can employ some basic hygiene precautions to try to limit the threat. For example, if the network allows the use of social media, it will pay to keep it well away from sensitive data and systems. However, the most important step to take is to start thinking that detection is not the answer to this particular problem.

There is no point in trying to detect image steganography. A company has to look to employing a defence that will eliminate its hiding places by removing and replacing redundant data in images.

Content Transform

In March 2018 industry analyst Gartner published a report entitled “Beyond Detection: 5 Core Security Patterns to Prevent Highly Evasive Attacks”. In the findings, the author drew attention to Content Transform as key to building defences against threats like image steganography.

Deep Secure uses Content Transform in its Stegware Threat Removal platform to extract only the necessary business information from images crossing the network boundary. The data carrying the information is discarded, so redundant data is removed and replaced along with any threat. Brand new images are then created and delivered to the user. Nothing travels end-to-end but safe and digitally pure content. Attackers cannot get in and the threat of concealed exploits is destroyed.

A recent study found that the size of the average web page has quadrupled in the last six years and 67% of that page is now comprised of images. Twitter has 330 million monthly active users and much of what they share are images. Little wonder that cyber-criminals can see the opportunity for committing financial crime using this technique.

Content Transform is a way to get and stay ahead of these attackers as it eliminates threats and leaves no opportunity for evasion techniques to be developed. Done correctly the result of this approach can be termed ‘Content Threat Removal’ (CTR) because that’s exactly what it does.