Very recently, it was reported that a piece of malware was spreading on Facebook, which exploited an image file to install malware. Today, a security firm has discovered a similar trick, which again takes advantage of images in order to install the Locky ransomware.
Dubbed as 'ImageGate' by Check Point Software Technologies, the malware is reportedly equipped with a capability to embed malicious code into an image file, and then upload it directly onto Facebook. "The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file," researchers Roman Ziakin and Dikla Barda wrote. "This results in infection of the users’ device as soon as the end-user clicks on the downloaded file."
In its demonstration of how the malware actually works, the researchers send an innocent-looking JPG file through Facebook Messenger. Once the sent attachment is clicked, it will open a Windows save prompt, where it will download a .hta file.
Double-clicking on the downloaded file will reportedly unleash a copy of the Locky ransomware, which will then encrypt numerous files on the victim's computer. At this point, in order to free the computer from infections, they will have to pay the ransom money, which may vary in cost.
It is no longer surprising that perpetrators are attacking websites like Facebook, given its many users whom they can take advantage of. "Cyber criminals understand these sites are usually ‘white listed’, and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities," according to the researchers.
We have reached out to Facebook, and will update this article once we hear more.
With these things in consideration, it always pays to be wary of what we click on the internet, even if it seems to come from someone you trust. Warning others about possible malware attacks will greatly help as well, in order for us to stay safe and protected on the internet.
Update: A Facebook spokesperson offered the following statements to Neowin regarding Check Point's discovery. It states:
"This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook. We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for several days. We also reported the bad browser extensions to the appropriate parties."
The representative told us that Check Point's technique has nothing to do with the previous report, and that there is still no evidence of the Locky ransomware spreading on Facebook. Moreover, Facebook is reportedly conducting an investigation regarding a report of the URL handling issue emerging on Firefox, which was previously described by Check Point. The spokesperson assured us that this has nothing to do with the ransomware issues.