Facebook has always been the preferred target for Scammers and Cyber-Criminals to pry on innocent users. This week, one of those malicious software were exposed by Bart Blaze and Peter Kruse.
According to Bart Blaze, the new form of attack is launched using Facebook Messenger which quickly distributes the Locky malware. Locky which belongs to a family of ransomware and also a favourite tool for hackers is spread through a downloader called Nemucod which then helps the ransomware to bypass Facebook security by pretending to be a .svg (scalable vector graphics) image file.
The svg file could be used by h*ckers to cloak malicious codes such as a javascript. The file can easily beat Facebook defense by pretending to be a harmless file.
“Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter:” wrote Bart Blaze in a blog post.
When accessed, the infected image file directs the victim to a site that seems to be YouTube’s landing page. But, the site only appears like YouTube and it isn’t the real deal as it is hosted from a different URL.
When this site is loaded, the victim is requested to install a codec so that the desired video could be played. This codec is presented in Chrome extension. If the victim installs it, the attack is distributed to other contacts of the victim via Facebook Messenger.
When the victim accesses the malicious SVG file it will be directed to a website that appears to be YouTube in design only, but once the page is loaded, the victim is asked to install a codec in order to play the video that is shown on the page. The codec is presented in Chrome extension and if the victim installs the Chrome extension as requested, the attack is then spread further via Facebook Messenger.
Facebook and Google have been notified of the attack. but Facebook released a statement saying that they have looked into the matter and blamed the malware attack due to the association with Chrome extensions.
“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not, in fact, installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties.”
Tags: