How Online Pornography Can Put Your Company at Risk From Hackers and Other Criminals
It may be embarrassing to talk about, but it's an issue that more companies need to address: employees who access online porn sites.
From a business standpoint, online adult content tends to be viewed as an "HR issue," rather than a security issue. But, the reality is that risqué websites and apps are increasingly targeted by hackers as a way of infecting the end user. This should raise a big red flag for companies, because if an employee is infected on a work computer or from a personal device that has access to company data or networks, the entire business could be at risk.
And the threat is getting worse. Not only is traditional malware proliferating online, but criminals are creating fake porn apps to lure people into installing these malicious programs on their mobile devices. Large-scale breaches of sensitive databases -- like the AshleyMadison hack of 2015 -- are also a significant opportunity for extortion. Dating websites, "cheater" services, explicit social media sites and virtual sex via webcam are all prime opportunities for blackmailers. In fact, the UK's National Crime Agency recently did a nationwide ad campaign to raise public awareness about these risks. New online tools like FakeApp, which make it easy to generate fake pornography using the images of real people, further push the boundaries for criminals, creating new opportunities for harassment and extortion.
The bottom line for businesses is this: If employees are engaging in risky online activities, like pornography, "cheating" services, etc., the chances of a corporate data breach will increase. Employees are always the weakest link in any business' cybersecurity program, so adding to that risk is obviously a problem.
Here is what businesses need to know.
What are the primary risks?
Malware, credential theft and extortion are the key concerns with adult content websites and apps.
Pornography websites are a good conduit for malware since there is a lot of rich media on these sites and pop-up ads are frequent. Due to the sites' sensitive material, this also gives the hacker considerable leverage over the individual that could be used to extort information, such as account passwords and network credentials.
The danger for businesses is that an employee's personal activities online could lead to a malware infection that spreads within the company, either from a work computer or by piggybacking off of a personal device used for work purposes to get inside the firewall. Targeted extortion could also be used to get direct access to company accounts.
How do criminals deliver these attacks?
In many cases, they infect a legitimate porn website or its third-party advertising network with malware, which then spreads to anyone who visits the site. For instance, in just the last year we've seen two large malware campaigns targeting porn sites -- "pornblackmailer" and Pornhub's click-fraud malware.
However, many criminals are now also creating fake adult-themed apps that trick people into installing malicious programs to their mobile devices. According to a report this year, Kaspersky Lab found "23 malware families that use porn content to hide their real functionality." Overall it estimates 1.2 million mobile users encountered this type of malware last year.
Adult-themed phishing is another method hackers use to steal credentials or infect the user's device with malware.
What types of malware are used?
Cybercriminals are nothing if not diverse and prolific, but most reports show that porn-related malware is generally focused on credential harvesting (i.e., stealing log-ins/passwords) and financial fraud. That should be a concern for businesses, because it would not be difficult to retool this malware in order to aim it at company account log-ins and banking accounts.
The fake mobile apps are equally concerning, as Kaspersky Lab estimates 46 percent are used to infect a device with "rooting" malware (which can gain high-level access and permissions on the device) and banking Trojans.
Extortion is a growing threat.
One particularly disturbing new trend is the use of adult content to extort or blackmail individuals, using their fear of humiliation as leverage.
We've seen a variety of schemes like this recently, such as "pornblackmailer" which takes screenshots of the victim's computer to threaten them, and the "we know what you just watched" email scam, which has specifically targeted business email addresses. Last year, researchers also discovered a ransomware campaign called "Karo" that threatens to publicly share any nude photos discovered on the victim's computer. Webcam sextortion is also increasing around the world, with some victims even resorting to suicide.
In most of these scenarios, the attackers were only after small payments from the victims. But, what if a hacker used these same methods to force an employee to hand over the company's network passwords, or to conduct an insider attack? How many employees would be able to stand up to this type of threat?
Sexual content is an Achilles' heel.
What an employee does on his or her own time is not the company's business, right? But, the problem with this long-held assumption is that in today's world of "bring your own device," remote access accounts, increased mobility and publicly accessible private lives, an employee's actions outside of the office do have an impact on the company.
This problem is compounded by the rise of online sexual content and online sexual activities. Whether it is visiting a porn site, registering for an explicit online dating service, or taking nude or semi-nude "selfies" from a personal device, all of these activities are increasingly at risk of exposure from hackers. Just look at the Brazzers' hack, AdultFriendFinder breach and the many celebrity phone hacking scandals over the years. A recent report also found that many popular dating apps, like OKCupid, Tinder and Bumble, have vulnerabilities that could expose users' information to hackers, blackmailers and stalkers.
What should businesses do?
For starters, every company needs to have a strict workplace policy that forbids employees from visiting pornography websites in the office or from a company-owned device. Businesses should reinforce this policy with a web filter on the network that will make accessing these sites difficult.
It is also a good idea to educate employees about the risks of adult-content sites and apps, such as malware and extortion. This can be incorporated into any general security awareness program.
Lastly, since a company cannot -- and should not -- control the personal lives of its employees, it needs to take a few steps to limit the risk of an insider threat. That threat could be a malware infection that spreads from the employee's device to the entire network, or it could be a rogue action forced by a blackmailer -- such as sharing a key password. To offset this risk, "access controls" are needed. No employee should have too much access to critical company accounts or information. Limit employees' remote access to only certain parts of the network. Passwords should be changed regularly, and protected by non-SMS/email two-factor authentication. Google Authenticator is a good alternative for two-factor authentication. If possible, the company's network should also be segmented to prevent infections from spreading laterally across the entire network. Strong antivirus and firewalls are important, but they won't protect against insider attacks so taking an extra defense-in-depth approach is key.