Facebook on Monday denied that its network and Messenger app were being used to spread ransomware to its users, contradicting the claims ofCheck Point researchers Roman Ziakin and Dikla Barda.
The two researchers last week reported they had discovered a new method for delivering malicious code to machines, which they dubbed “ImageGate.”
Threat actors had found a way to embed malicious code into an image, they said.
Due to a flaw in the social media infrastructure, infected images are downloaded to a user’s machine, Ziakin and Barda explained. Clicking on the file causes the user’s machine to become infected with a ransomware program known as “Locky,” which encrypts all the files on the infected machine. The user then must pay a ransom to the purveyor of the malicious software in order to decrypt the files.
“In the past week, the entire security industry is closely following the massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign” the researchers wrote in an online post. “Check Point researchers strongly believe the new ImageGate technique reveals how this campaign was made possible, a question which has been unanswered until now.”
Bad Chrome Extension
Facebook has disputed Check Point’s findings.
“This analysis is incorrect,” Facebook said in a statement provided to TechNewsWorld by spokesperson Jay Nancarrow.
“There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook,” the company maintained.
“We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week,” Facebook noted. “We also reported the bad browser extensions to the appropriate parties.”
Most social media sites, including Facebook, have protections in place to block spam and dangerous file types, said Marc Laliberte, an information security threat analyst with WatchGuard Technologies.
“This most recent attack bypassed Facebook’s protections by using a specific type of image file that supports interactivity via embedded scripts, like JavaScript,” he told TechNewsWorld. “Facebook has since added the image file type — SVG — used in this attack to their filter.”
Cloak of Legitimacy
What makes this attack so devious is that it’s cloaked in legitimacy.
“The JavaScript embedded in the image is not malicious,” explained Alexander Vukcevic, virus labs director at Avira. “It leads you to a website that looks like YouTube.”
At the website, you’re told you need to download a browser extension to watch video at the site.
“The browser extension then downloads the ransomware,” Vukcevic told TechNewsWorld.
Ransomware like Locky has become a big threat to consumers, observed Javvad Malik, a security advocate for Alien Vault.
“Most are not technically savvy to spot or defend against ransomware,” he told TechNewsWorld.”While a lot of effort is put into educating consumers around the dangers of clicking on links in emails or opening attachments, there is an inherent level of trust that people put in social media platforms, which is being abused by this current threat.”
Consumer Protection
While Ransomware is always a serious threat to consumers, this new twist on its distribution raises the bar even higher, WatchGuard’s Laliberte noted.
“Consumers simply do not expect malware to be delivered via a Facebook message,” he said. “Most people probably consider social media sites to be a safe space, so the lack of concern and vigilance makes it powerful as a potential infection channel for malware.”
For consumers concerned about an ImagteGate attack, Check Point recommended not opening any files downloaded to a device after clicking any image. The same is true for image files with unusual extensions, such as SVG, JS or HTA.
Users also should keep their operating system and antivirus software up to date, Avira’s Vukcevic added, “and make backups. Even if you’re never infected with ransomware, you never know when something might go wrong with your machine.”