A security firm called Check Point uncovered this new method of distributing malware. According to their research, the attackers have added a new capability that allows them to embed a malicious code into an image file and successfully upload it to the social media websites such as Facebook and LinkedIn.
“The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user,“ say Roman Ziakin & Dikla Barda, part of the Check Point Research Team.
Check Point´s researchers believe the new ImageGate technique reveals how the initial Locky campaign started in the first place. The recent massive spread of the Locky ransomware was particularly evident on Facebook.
Check Point has published a video in which they demonstrate the process. In a test, they sent a random JPG file through Facebook’s chat. Once the targeted victim clicks on the attachment, a Windows save prompt opens and downloads a .hta file.
Upon downloading and opening the attachment, reportedly all of the files on the device are automatically encrypted. You can only gain access after you pay the ransom. Check Point reports that, according to industry reports, the campaign is still in full swing and accumulates new victims every day.
Targeting the social network sites for a reason
Since more and more people spend time on social networks, the hackers are turning their attention to these websites. Ziakin and Barda state that “cyber criminals understand these sites are usually ‘white listed’”, pointing out that is the main reason why the hackers are “continually searching for new techniques to use social media as hosts for their malicious activities.”
Check Point recommends the following preventive measures to stay protected:
- If you have clicked on an image and your browser starts downloading a file, do not open it. Any social media website should display the picture without downloading any file.
- Don’t open any image file with unusual extension (such as SVG, JS or HTA).
With the holiday season underway, the volume of the attacks will likely increase due to the number of people present online. Yesterday, we covered how Microsoft warned against Black Friday malware disguised as Amazon emails.
Users are receiving fake emails that contain the Locky ransomware exploit. Downloading the attached zip file results in important files being encrypted and inaccessible until you pay the attacker. The company has been tracking this combination for a while and Windows Defender should detect it.