An ongoing spam campaign is using boobytrapped image files to download and infect users with the Locky ransomware, Israeli security firm Check Point reports.
The security firm says that malware authors have identified vulnerabilities in the Facebook and LinkedIn social networks that forcibly download an image file on the user’s computer, but in some cases, the user had to click on the image to download it.
Malware authors are spreading malicious image files via these two platforms. When users detect the automatic download, if they access the malformed image, malicious code will install the Locky ransomware on their computers.
Vulnerabilities in Facebook and Linked remain unfixed
Check Point has declined to provide any technical details at the time of writing because both Facebook and LinkedIn haven’t fixed the vulnerability exploited by the attackers. The company says it reported the issue back in September.
The company has warned users about opening what looks to be an image files with unusual extensions, such as SVG, JS or HTA.
This makes us believe the spammers are using double extensions to hide the true nature of the file. By default, Windows hides a file’s extension. So when you see a file like image.jpg, it may be actually hiding a second extension, such as image.jpg.hta or image.jpg.js.
The file extensions which Check Point mentioned, SVG, JS, and HTA, have the ability to download content from an online server and run it.
The criminal group behind the Locky ransomware has used JS and HTA files to install their malware in the past, albeit via file attachments that arrived via spam emails, but not social media.
Might be related to another Facebook spam campaign reported on Monday
This campaign looks to be related with a Facebook DM spam run discovered by security researcher Bart Blaze on Monday.
For the time being, it may be safe to avoid opening any unsolicited file you receive via private messages on Facebook or LinkedIn, or files that mysteriously download to your PC.