As Wikipedia states: Steganography (/ˌstɛɡəˈnɒɡrəfi/ STEG-ə-NOG-rə-fee) is the practice of concealing a file, message, image, or video within another file, message, image, or video. The word steganography comes from Greek steganographia, which combines the words steganós (στεγανός), meaning “covered or concealed”, and -graphia (γραφή) meaning “writing”.
Ancient Greek leader Histiaeus used this practice back in 440 BC were he shaved a trusted slave’s head, tattooed a secret message on his scalp, let his hair grow, and then he sent him off to be shaved again by the message recipient.
In IT terms Steganography is the technique of hiding secret data within an ordinary, non-secret, file, or message in order to avoid detection; the secret data is then extracted at its destination.
Today, this term is rather commonly used by almost the whole population, without even knowing. You have an Android phone? Do you take photos? Do you like geotagging? This is when you take a photo and then display it on a map. Your photo has metadata in which the GPS location is added, and the application used to display them reads this metadata and puts the photo on the map. Metadata is not steganography, but it is a pretty rough idea of how information is stored along with another type of information and an application reads both or only one.
Digital images such as a JPEG file, contains several megabytes of data in the form of pixels. This allows some space for someone to embed steganographic information within the digital file. With the use of steganographic applications, a hacker may alter the least significant bits of the data file and embed malicious code into the image. Once the targeted user downloads and opens the image file in their computer, the malware is activated. The same can happen when a website is compromised and the attacker replaces images with “altered” ones, or even when the designer/developer may use an image from an unreliable source to cover a particular display need.
Imagine what could happen if this “malicious image” was displayed on the cart page of an e-shop you were about to check out. The malicious payload could get the saved credit cards from your pc and send to a certain “someone” without you knowing.
And the above is just an example…