A researcher this past weekend warned of a new Facebook instant message spam campaign designed to trick recipients into downloading a malicious downloader script, which a second researcher said he observed downloading Locky ransomware.
In a statement to SC Media, Facebook acknowledged the malicious code and campaign, which it took steps to block; however the social media company disputes that Locky is associated with the threat.
In a blog post on Sunday, a researcher with the pseudonym “Bart Blaze” noted that Facebook users are receiving messages from their contacts that contain an image in the form of a Scalable Vector Graphics (.SVG) file, which somehow was able to bypass the social media platform's file extension filters.
.SVG is an open-standard, XML-based vector impact format for graphics requiring interactivity or animation. Blaze, who says that by day he is a threat intelligence analyst with PwC, explained in his post that such files are compatible with any modern browser, and that they grant users a lot of freedom to embed content into them, including potentially malicious scripts. Case in point: the actual content of the photo is a heavily obfuscated script that redirects the user to a fake website that purports to be YouTube, featuring the supposed video teased in the message.
Google Chrome users visiting this malicious site are then told that they need to install a browser extension to view the video. Unfortunately, the extension is malicious, composed of scripts designed to further spread the spam campaign to the victim's other contacts. It also asks permission to read and change users' data on the websites they visit.
“The approach… is a classic: the lure of a photo (possibly of you) always works. Curiosity killed the cat,” Blaze said to SC Media in an email interview.
Blaze has conjectured that the malicious extension likely also downloads additional malware programs, creating a secondary infection. This theory was seemingly confirmed when fellow researcher Peter Kruse, founder of CSIS Security Group in Denmark, posted a Tweet reporting that the Locky ransomware was spreading on Facebook via malicious JavaScript coding, disguised as an .SVG file.
However, Facebook disputes Kruse's account. “In our investigation, we determined that these were not in fact installing Locky malware – rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties,” said a Facebook spokesperson to SC Media. (SC Media has reached out to Google for comment regarding its take on the malicious Chrome extensions.)
Asked to respond to Facebook, Kruse told SC Media via email: “There are tons of malicious domains in this campaign and at least a few of them tried to drop Locky through user clicking.” Kruse provided SC Media with a diagram of malicious domains from which he said the malicious browser extension downloaded additional unwanted programs.
In fairness to Facebook, Kruse admitted that "the bad guys might have made changes sometimes during the day or even early in the campaign. That would not be the first time."
For his part, Blaze told SC Media that despite Kruse's Locky observations, his own research efforts “have been unable to reproduce that for now.”
Blaze recommended that any users who downloaded one of the malicious extensions immediately remove it from their browsers, then run an antivirus scan and change their Facebook passwords. “As always, be wary when someone sends you just an image – especially when it is not how he or she would usually behave,” advised Blaze in his blog post.
As for the threat itself, “we maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform,” the Facebook spokesperson noted.
Facebook also notifies users and provides them with anti-virus scans when the social platform detects anomalous account behavior that might be indicative of a malware infection.
