Hackers temporarily found a way to bypass Facebook filtering systems to
deliver malicious Chrome extensions to users, security researchers have
found. These then opened up the way for even worse malware downloaders
that can deliver a range of Trojans and other programs to your desktop.
The .svg files sent to users got around Facebook’s file extension
filter. Because .svg is a relatively new file format, hackers have room
to experiment with it against existing filtering systems. Also, reports
Bleeping Computer, since it is “XML-based and allows dynamic content,”
it is popular for delivering the malicious JavaScript code embedded
right inside the image.
The image leads to a fake YouTube item, which demands you add a codec to
view the video on Chrome. Security researcher Bart Blaze, who
discovered the ransomware, found that the extension to execute this,
“One,” gives itself permission to “read and change all your data on the
websites you visit.” He wrote that he was, “not exactly sure what this
extension is supposed to do beside spreading itself automatically via
Facebook, but likely it downloads other malware to your machine.” In his
case, this included the popular Nemucod malware downloader.
Another security researcher, Peter Kruse, reported that one possible
payload was the Locky ransomware. Facebook told Threat Post, though,
that, “We determined that these were not in fact installing Locky
malware.”
Confirmed! #Locky spreading on #Facebook through #Nemucod camouflaged
as .svg file. Bypasses FB file whitelist. https://t.co/WYRE6BlXIF
pic.twitter.com/jgKs29zcaG -- peterkruse (@peterkruse) November 20,
2016
Anyone who encounters the suspicious .svg files should, per Threat Post
and Blaze, disable JavaScript in their browser, block Wscript, or set
any files with the extensions .svg, .js, and .jse to open only in
Notepad -- the latter technique defeats the code’s ability to execute
itself in your browser when you click on the image.
And, as always, avoid clicking on unsolicited messages in either
Facebook Messenger, your email client, or in your SMS as was the case a
few days ago with a fake Apple ID phishing attacks through text
messages.