November 25, 2016
Security researchers have discovered ransomware being spread through images and graphic files being shared on social networking sites including Facebook and LinkedIn. Among the malware being distributed is the infamous Locky ransomware.
Check Point researchers have dubbed this new attack vector ImageGate. Their findings build on the discovery by Bart Blaze of malware being spread through Scalable Vector Graphics (SVG) files on Facebook Messenger. Users in that case were prompted to install a codec extension to view a video or image apparently sent by a contact. The extension downloaded the Nemucod downloader, which can spread malware and steal sensitive information.
Now Check Point’s security team claims to have discovered how the hackers managed to execute the malicious code embedded within the images. The attackers managed to exploit a misconfiguration contained within the design of these sites that could deliberately force users to download the malicious file.
Once downloaded, the malware becomes active when the file is open. In the case of the Locky ransomware, all files on the affected computer are encrypted until a ransom is paid. Recent statistics from Check Point revealed that Locky accounted for 5% of total global attacks spotted during the month of October, making it the second most prevalent bit of malware currently out in the wild.
Locky has also been increasingly targeting healthcare organizations in recent months.
Oded Vanunu, Head of Check Point’s Products Vulnerability Research, said that given the popularity of social networking sites like Facebook and LinkedIn, it’s not surprising that attackers are focusing their efforts there.
“As more people spend time on social networking sites, hackers have turned their focus to find a way in to these platforms,” he said. “Cyber-criminals understand these sites are usually ‘white listed’, and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities.”
Check Point added that it will release further details about the vulnerability once the affected websites confirm they have fixed the flaw.
In order to better protect yourself from these types of attacks, users should never download attachments from people they don’t know, or open attachments that look like an image but contain an unusual filename extension.