I am often asked this question by clients and particularly prospective clients, who think they do not need our cyber security awareness training or any of the tools in our security stack.
The answer to the question is not easy, in a Word or OneNote file, through a link to the internet, a malicious Google ad, on an infected USB stick – all things I have written about here. But here is a newish one.
Steganography
Steganography is the practice of concealing a message, image, or file within another message, image, or file. The goal of steganography is to hide the existence of the hidden data. Steganography can be used for various purposes, such as protecting sensitive information, enhancing security, evading censorship or spreading malware.
We studied this at uni, and most of us thought it was a bit of fun creating hidden code in family photographs, rather than a serious threat. However if the hackers see a way to get their malware onto your computer they will use it.
Xavier Mertens has an article here looking at an example of this attack he found in the wild.
ShellCode Hidden with Steganography – SANS Internet Storm Center
Your takeaway from this
I am going to quote myself:
…if the hackers see a way to get their malware onto your computer they will use it.
Clive Catton MSc (Cyber Security) – by-line and other articles