Anti-Malware , Application Security , Social Media

Is Ransomware Creeping Into Facebook and LinkedIn?

Facebook Says No, But Researchers Disagree
Is Ransomware Creeping Into Facebook and LinkedIn?
A Locky ransomware lock screen.

Facebook is disputing recent reports that the file-encrypting ransomware known as Locky spread through its instant messaging platform.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The company's response comes as security firm Check Point alleges that LinkedIn is vulnerable to the same kind of attack that hit Facebook, causing worry that ransomware distributors may have tapped two extremely large pools of potential victims.

Ransomware is malware that encrypts files on a computer and demands money in exchange for the decryption key, usually payable in bitcoin (see Ransomware Result: Free Ticket to Ride in San Francisco).

The story kicked off with a blog post on Nov. 20 from Bart P., a PwC threat intelligence researcher, who spotted a campaign spreading malicious image files through Facebook's Messenger. The files had a ".svg" suffix, which stands for scalable vector graphics.

The XML-based format allows images to retain their quality regardless of how they're manipulated. But it also allows for other embedded active content including JavaScript, which holds the potential for trouble.

If someone clicked on the .svg file received through Facebook, it's downloaded to a computer. If opened, the file launches a browser window that shows a fake YouTube website, Bart P. writes. That site shows a message that encourages victims to download a codec that is supposedly needed to view a video.

Actually, the file leads to a bogus Chrome extension that acted as a worm, harvesting data from someone's Facebook contacts and spreading through Messenger.

But there are indications that the .svg file didn't always try to get people to run a dodgy extension. Peter Kruse, founder of CSIS Security Group in Denmark, wrote that one test showed the .svg file was actually Nemucod, which is a malicious downloader. If Nemucod was downloaded, it would then deliver the Locky ransomware.

Some observers took issue with Kruse's analysis, writing their tests showed only the malicious Chrome extensions were delivered. But Kruse wrote on Twitter that the .svg files actually had varied payloads. Sometimes the payload was the questionable Chrome extension, called Udo, while others delivered Locky.

Locky is one of the top ransomware families, named after its behavior of adding .locky to files it encrypts. Users are typically asked to pay between .5 to 1 bitcoin (US$315 to $730) to decrypt their files (see Retooled Locky Ransomware Pummels Healthcare Sector).

Check Point Weighs In

A few days after Bart P.'s blog post, Check Point claimed to have discovered the attack vector used against Facebook, saying it also affects LinkedIn.

Check Point dubbed the attack ImageGate, claiming that attackers had "built a new capability to embed malicious code into an image file and successfully upload it to the social media website."

"In the past week, the entire security industry is closely following the massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign," Check Point writes.

The company writes that it's waiting for Facebook and LinkedIn to adjust their defenses before providing more technical detail. But Check Point did publish a video demonstration showing what it says is a successful ransomware attack conducted via Facebook. However, the method differs somewhat from what is described by Bart P.

The attack is launched over Facebook's Messenger. But instead of sending a .svg file, it uses a .hta one, which is a file extension designating an HTML application. The video shows that user would have to click on the file and save it before ransomware runs.

Facebook says Check Point's blog post doesn't describe the issue posed by Bart P., even though the company portrays it as the same.

"This analysis is incorrect," Facebook says in a statement. "There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook."

Check Point contends it is using essentially the same method as spotted by Bart P. in order to infect someone with ransomware. However, Facebook is investigating the issue raised by Check Point, which would only appear to affect people using Firefox.

It's unclear from Check Point's blog post how the attack affected LinkedIn. Officials with LinkedIn, which is owned by Microsoft, couldn't be reached.

A Locky Break?

Since the posts from Bart P. and Check Point, Facebook analysts have found no evidence that ransomware has been successfully spread. Following Bart P.'s post, Facebook blocked and reported the bad Chrome extensions to Google.

Facebook has defenses in place to prevent the distribution of malicious code through Messenger. But attackers are always testing new methods to try and get past the filters. A large-scale outbreak of ransomware on either Facebook or LinkedIn would be notable but unlikely to last very long, as both companies would move quickly to shore up their systems.

Also, the attacks as described rely on heavy user interaction. In Bart P.'s example, users would have to click several times before the malicious code extension is installed. Check Point's demo has victims clicking twice: once to view a file sent over Messenger and then a second time to save it to a computer.

Of course, the benefit of abusing Facebook and LinkedIn is that users usually blindly trust whatever is sent to them, particularly if it appears to come from a trusted contact.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.