(When I began writing this post, the exploit described only affected a specific image file and Facebook users. It has now been found in other image file formats and is targeting Linkedin as well as Facebook.)
It starts with a message from one of your Facebook friends via Facebook Messenger. It might be a short message (like “LOL”, “OMG”, “Have a look at this”, “I can’t believe someone posted this”) with an image or zip file for you to open. If the attached file is a zip file and you decide to download and open it, a malware agent will be installed on your computer which will contact a Dropbox site to download the actual malware onto your computer. The malware will then send similar infected messages to your Facebook friends and friends of friends and so on in an upward spiraling propagation.
Last year, researchers at the AppRiver security firm noticed that criminals were using SVG image files to send ransomware. Ransomware is a type of malware that will encrypt all the files on your computer and force you to pay a ransom in Bitcoins to get them back. These SVG image files were within zip files claiming to be attached resumes in job application letters. Here’s an example.
Clicking on the unzipped SVG file would send the victim to a webpage that would eventually lead to a ransomware infection.
The limitation in all of these attack vectors is the zip file. How many people would really want to go through the trouble of unzipping a file to get to its content? Sure, some would, but many would not. Besides, people are already suspicious of zip files, as they should be.
But this landscape has recently changed with the finding that a malware exploit can be installed by directly using the SVG image file attached to a Facebook message. An SVG file can allow code to be placed within an image, unseen by the person viewing the image. In the case of this exploit, the code is in Java script and viewing the picture will send the victim to a fake YouTube page (see the actual address in the address bar below). There, you will be asked to get an extension for your browser in order to view the image/video. For the moment, the exploit is confined to Chrome browsers. If you’re using a different browser, nothing much seems to happen (you’ll just get a blank page). But stay tuned for changes.
It should be made clear that exploits using image files have been around for a while now. The term to describe hiding information in an image file is, steganography. I wrote about how terrorists use this technique for secret communications: communications that can take place in plain site. I gave an example of how I hid this picture
in the picture on the right below.
The picture on the left is the unaltered photo but the two are impossible to differentiate visually. I could have easily converted a text file to an image file and sent a message to someone who could decode it with readily available software.
Last year, Saumil Shah demonstrated how a complete exploit could be hidden in an image file. In other words, clicking on the photo to view it in the browser would compromise the victim’s computer. The click could install spyware or steal sensitive documents. Shah appropriately called this technique a ‘stegosploit’. So how long will it take for such exploits to make their way onto Facebook? I would guess that they are already under construction. In fact, in the last two days, researchers have found a more advanced attack method. This one begins with clicking on an image file that may be disguised as a jpg file. Clicking on the image will bring up a dialogue box asking if you want to save the file. If you click ‘save’, the image will be downloaded to your computer. If you then open that file, you will install the Locky ransomware virus which will encrypt every file on your computer and you will be forced to pay a ransom to get them back.
Currently, the SVG exploit is being used to either download Locky ransomware, to ride the browser to learn passwords and credit card numbers, or to send the exploit on to Facebook contacts. After adding the extension suggested on the fake YouTube site, the browser is automatically redirected back to Facebook where it uses the contact list. What is its final purpose? That’s not clear. It could be used for spamming purposes. It’s possible that more sophisticated attacks are being designed for these infected browsers. Google claims they have stopped the installation of the extension on its Chrome browser, but others could be designed to easily replace it. Facebook claims it is taking action against these exploits, but my response to this is…really? How? Are they planning on prohibiting all links and photos? They may scan for some malware, but new exploits appear everyday. My own experience with reporting bad Facebook sites has met with poor, programmed responses.
The security team, Check Point, which discovered the latest variation of this exploit, reports that it has been spreading at an alarming rate. “In the past week, the entire security industry is closely following the massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign.” To be sure, this exploit couldn’t have come at a worse time. With the onset of the holiday season, more people will be putting up photos on social media sites. Clever criminals could easily exploit this fact. Beware of photos coming through Facebook messenger from people you seldom hear from. Don’t open any files with zip or SVG extensions. If you do get tricked into downloading a file, do not open it, even if it claims to be a jpg file. This is because Windows doesn’t normally display extensions. In other words, the real file name would be ‘photo.jpg.svg’ but the ‘svg’ part would not be visible. If you’re using the Chrome browser, consider using some alternative until this exploit is cleared up. Check Point will be giving more details on this malware as soon as Facebook and Linkedin find ways to block it. I will update the findings on this website when appropriate. (see update here)