Leveraging an attack vector named ImageGate, hackers can embed malicious code into seemingly innocuous graphics that appear on social networking sites such as Facebook, warns Check Point.
Leveraging an attack vector named ImageGate, hackers can embed malicious code into seemingly innocuous graphics that appear on social networking sites such as Facebook, warns Check Point.

Attackers are infecting social media users with malware by embedding malicious code into image and graphic files and uploading them onto major websites and social networks including Facebook and LinkedIn.

Researchers at Check Point Software Technologies discovered the attack vector – dubbed ImageGate – which exploits a “misconfiguration on the social media infrastructure to deliberately force... victims to download the image file,” according to a company blog post last week. Clicking on the downloaded file results in the actual infection.

“Check Point's research team uncovered a few methods that could be used by this new attack vector. Our primary finding is embedding an .HTA format into an image file (could be a JPEG too), which is relevant to all browsers,” explained Oded Vanunu, head of products vulnerability research at Check Point, in an email to SC Media. “It can also be executed with a .SVG file that is embedded into Java Script. This method is limited to Internet Explorer.” Based on a YouTube demo posted by Check Point, it appears as if in at least some instances, the malicious images appear in a potential victim's Facebook's chat box.

Also in its blog post, Check Point suggests that members of the security industry have recently been on high alert over the rapid spread of Locky ransomware via social media, and postulated that ImageGate may be the conduit through which attackers are executing this campaign. In that regard, Check Point's report shares certain commonalities with other research, disclosed independently last week, which warned of a Facebook spam campaign that features instant messages containing .SVG images designed to trick recipients into installing a Trojan that in some cases may have downloaded Locky. Vanunu confirmed to SC Media that the two campaigns are not related.

Just as Facebook denied that Locky was being spread through the spam campaign, the company also disputed Check Point's findings. "This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook…” said a Facebook spokesperson in a statement emailed to SC Media.

LinkedIn also addressed ImageGate via a company spokesperson: "We investigated this report and believe this method is not especially effective,” read a statement emailed to SC Media. “While we have not found any exploitation of our platform using this vulnerability, we are taking additional steps to ensure our members are protected."

According to Check Point, both Facebook and LinkedIn were alerted to ImageGate prior to the vulnerability's public disclosure, and the company is waiting for impacted websites to patch the flaws in their respective infrastructures before further reporting any specific technical details on the open attack vector.

To avoid infection, Check Point recommended that social media users avoid opening files that are downloaded as a result of clicking on an image, or that contain unusual file extensions such as .SVG, .SJ or .HTA.