Locky ransomware can affect you via Facebook and LinkedIn

Malware doesn’t always need to attack your computer through browser or OS based exploits. Sometimes, it’s the social networks themselves that can be the problem. An ongoing spam campaign is using boobytrapped image files to download and infect users with the Locky ransomware, Israeli security firm Check Point reports.

This works by taking advantage of flaws in the way Facebook and LinkedIn (among others) handle images in its bid to infect your PC. The security firm says that malware authors have identified vulnerabilities in the social networks that forcibly download a maliciously coded image file on the user’s computer, but in some cases, the user had to click on the image to download it.

facebook (1).jpg

When users detect the automatic download, if they access the malformed image, malicious code will install the Locky ransomware on their computers. While the actual Locky code is relatively pedestrian and easy to avoid if you’re aware (just don’t open the file), it’s the delivery mechanism that has analysts worried.

Social media platforms are generally considered a safer place on the internet even by security experts and many people aren’t used to worrying about their downloads at sites like Facebook.

Check Point has declined to provide any technical details at the time of writing because both Facebook and LinkedIn haven’t fixed the vulnerability exploited by the attackers. The company says it reported the issue back in September. Users are warned about opening what look to be image files with unusual extensions, such as SVG, JS or HTA.

This makes us believe the spammers are using double extensions to hide the true nature of the file. By default, Windows hides a file’s extension. So when you see a file like image.jpg, it may be actually hiding a second extension, such as image.jpg.hta or image.jpg.js.

The file extensions which Check Point mentioned, SVG, JS, and HTA, have the ability to download content from an online server and run it. Just to be on the safe side, if you want Windows to show file extensions, you can do it. For the time being, it may be safe to avoid opening any unsolicited file you receive via private messages on Facebook or LinkedIn, or files that mysteriously download to your PC.

Earlier this week, security researchers noticed that files with a dubious .SVG extension were being distributed through Facebook and somehow bypassing Facebook’s extension filter. The .SVG files included JavaScript that, when accessed by the user, downloaded Nemucod malware and then the ransomware. The current case seems to be a part of this earlier campaign.

Whether or not you’re in the clear, this is a reminder that you can’t take the safety of social sites for granted — it’s a good idea to be wary of any downloads you weren’t expecting.

Via : ArsTechnica

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s