Update: Facebook Messenger and Linkedin Users: You are Being Targeted

Check Point finally posted a detailed description on how attackers use images on Facebook and LinkedIn to install dangerous malware on a user’s computer/device. (For more on this exploit see the original article.) The installed malware will give the criminal full access to a victim’s computer and possibly encrypt all files on it with Locky Ransomware. In other words, if you open the downloaded image file, you will have to pay, in Bitcoins, to get your files back.

I will not go through all the technical details, but those interested in such things can find them here. What you need to know is that the attackers were able to probe Facebook and Facebook Messenger’s defenses with an image file in .hta or .svg format. They would see how Facebook defended itself against malware embedded in the image until they learned how to manipulate the code to breach the defense. A Facebook or Facebook Messenger user who clicked on the infected image file (often coming from a contact) will force a download, likely followed by a “how would you like to open?” interface. Opening the downloaded image releases the payload and your computer is now in control of the criminal.

The vector using LinkedIn images is a little different and Check Point’s description is a bit hard to follow. However, from what I understand, the attacker manipulates the user’s profile picture in such a way that it allows the attacker to store a malicious link in the user’s account. The profile picture will show no change as it is only used as a way into the victim’s account. It is not clear from the Check Point explanation what really happens after this. In some way, the victim is led to a malicious site which will automatically download an image file with the embedded malware. I have written to Check Point for a clarification and will let everyone know if or when I get one.


As far as I could see from the Check Point update, these attack vectors remain open. The Facebook exploit seems especially hard to patch since the attackers use the site’s own defenses against it.

It still appears that the exploit is restricted to the Chrome browser, at least for Facebook, which is why Facebook says it is not their problem. However, as I’ve written previously, it is probably just a matter of time before other browsers are manipulated. For now, I can only repeat the caution I gave in the original article as to not download images from contacts who seldom send images. This is especially true for contacts using Facebook Messenger. Since the exploit automatically downloads the infected image when clicking on it, do not open it when it reaches your computer/device. You can, however, use your own antivirus software to scan the downloaded file. Depending on your software, it may or may not detect the malware. For now, however, it is better not to download or open any files with the .hta or .svg extension. Remember also that, by default, windows will not show the extension. Thus, an image that appears to have the name, ‘Holiday.jpg’, may actually have the name, ‘Holiday.jpg.svg’. I am not using this example frivolously as this is the season for sending images, especially on Facebook.

I realize this information is incomplete at this time but I hope it helps.

4 thoughts on “Update: Facebook Messenger and Linkedin Users: You are Being Targeted

  1. This is confusing and I’d like some clarity please. In Facebook Messenger, when my friends send an image (almost always a personal photo), I don’t have to click it (from my phone) to download it. It just appears. Therefore, I’m not understanding how to protect myself by “not clicking.”


    1. That’s a good question and I understand it might not be clear. Check Point’s explanation was a bit diffuse but here’s how I understand the situation. If you are getting a picture in Messenger and you get NO message asking if you want to open or download the picture, you should be okay. If you don’t need to click on the picture, don’t. Usually the attacker (pretending to be your friend) will send you an attachment which his/her message claims to be a picture. The attachment may just be in the form of text like, picture.svg. The message will be something like, “Look at this picture.” These are the ones the attacker wants you to download and then open. They may force you to download with a message like, “Do you want to save/open this file?” I hope this helps.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s