How the new Instegogram threat creates liability for organizations

Writing in 2017, one of the authors of this article noted that, “Social media networks represent the largest, most dynamic risk to organizational security and allocating liability.” Unfortunately, with the growth of social media networks since then, this threat has only increased. First identified in 2016, this risk combines digital image steganography and social media in the corporate environment. While neither steganography nor social media are new, it is novel to combine both as a tool for malware distribution.

What is Instegogram?

This scheme, known as “Instegogram,” is the use of social networks, Instagram in particular, as a threat actor’s command-and-control site. Instegogram is unique in that “once the remote system is compromised, encoded images can be posted from the command machine using Instagram’s API. The remote system will download the image, decode it, execute the encoded commands, encode the results in another image, and post back to Instagram.” Instegogram was created for academic purposes, but its potential use as part of a malware attack poses the question of who would be liable for such an attack.

Instegogram attacks could remove liability protections

Under Section 230 of the Communications Decency Act (CDA), companies that offer web-hosting services are typically shielded from liability for most content that customers or malicious users place on the websites they host. However, such protection may cease if the website controls the information content. A company that uses a social media network to create the picture or develop information would arguably control that information and thus may not be immune. That is, if a service provider is “responsible, in whole or in part, for the creation or development of the offending content,” its actions could fall outside the CDA’s protections.

Whether the CDA protections extend to damage caused by malware is still largely an open question of law. Companies could therefore be liable for third-party damage resulting from an Instegogram attack, even if they did not know the digital image was infected. As no statutory immunities exist to shield social media users, a company could be liable for any resulting damage caused by a criminal hacker’s embedded command-and-control infrastructure.

Minimizing risk from Instegogram and other social media attacks

In recent years, the use of social media platforms for cyberattacks has increased, and companies have become more vulnerable to attacks. Therefore, organizations should take necessary precautions and establish security measures to minimize the risk of cyberattacks. Companies should educate their employees on the potential threats of social media and the importance of avoiding opening suspicious links or downloading unfamiliar attachments. Additionally, it is crucial to keep software up-to-date, install antivirus software and firewalls, and limit access to sensitive information. By implementing these measures, companies can reduce the likelihood of being a victim of cyberattacks.

In addition to these security measures, companies should work with their insurance brokers and insurers to review their insurance policies and assess coverage for this risk. Companies should be aware that a number of insurance policies could cover such liabilities, including those associated with cyber risks, errors or omissions, or those addressing media liabilities.

Anna Diaz Gessner contributed to this article.

Disclaimer: This content is intended for general informational purposes only and should not be construed as legal advice. If you require legal or professional advice, please contact an attorney.