Check Point finally posted a detailed description on how attackers use images on Facebook and LinkedIn to install dangerous malware on a user’s computer/device. (For more on this exploit see the original article.) The installed malware will give the criminal full access to a victim’s computer and possibly encrypt all files on it with Locky Ransomware. In other words, if you open the downloaded image file, you will have to pay, in Bitcoins, to get your files back.
I will not go through all the technical details, but those interested in such things can find them here. What you need to know is that the attackers were able to probe Facebook and Facebook Messenger’s defenses with an image file in .hta or .svg format. They would see how Facebook defended itself against malware embedded in the image until they learned how to manipulate the code to breach the defense. A Facebook or Facebook Messenger user who clicked on the infected image file (often coming from a contact) will force a download, likely followed by a “how would you like to open?” interface. Opening the downloaded image releases the payload and your computer is now in control of the criminal.
The vector using LinkedIn images is a little different and Check Point’s description is a bit hard to follow. However, from what I understand, the attacker manipulates the user’s profile picture in such a way that it allows the attacker to store a malicious link in the user’s account. The profile picture will show no change as it is only used as a way into the victim’s account. It is not clear from the Check Point explanation what really happens after this. In some way, the victim is led to a malicious site which will automatically download an image file with the embedded malware. I have written to Check Point for a clarification and will let everyone know if or when I get one.
As far as I could see from the Check Point update, these attack vectors remain open. The Facebook exploit seems especially hard to patch since the attackers use the site’s own defenses against it.
It still appears that the exploit is restricted to the Chrome browser, at least for Facebook, which is why Facebook says it is not their problem. However, as I’ve written previously, it is probably just a matter of time before other browsers are manipulated. For now, I can only repeat the caution I gave in the original article as to not download images from contacts who seldom send images. This is especially true for contacts using Facebook Messenger. Since the exploit automatically downloads the infected image when clicking on it, do not open it when it reaches your computer/device. You can, however, use your own antivirus software to scan the downloaded file. Depending on your software, it may or may not detect the malware. For now, however, it is better not to download or open any files with the .hta or .svg extension. Remember also that, by default, windows will not show the extension. Thus, an image that appears to have the name, ‘Holiday.jpg’, may actually have the name, ‘Holiday.jpg.svg’. I am not using this example frivolously as this is the season for sending images, especially on Facebook.
I realize this information is incomplete at this time but I hope it helps.