Poison .JPG Spreading Ransomware Through Facebook Messenger (The Register)


Checkpoint has found an image obfuscation trick it thinks may be behind a recent massive phishing campaign on Facebook that’s distributing the dangerous Locky ransomware.

The security firm has not released technical details as the flaw it relies on still impacts Facebook and LinkedIn, among other unnamed web properties.

The flaw as described is, in this writer’s opinion, ultimately of little risk to El Reg’s tech savvy readers, but folks who can be conned into downloading and running unknown executables are at risk.

The attack is also significant in that it breaks Facebook’s security controls.

In a proof-of-concept video by Checkpoint researchers Roman Ziakin and Dikla Barda, an attacker is shown exploiting the flaw by sending an HTA HTML app through Facebook Messenger disguised as a .JPG. (JavaScript-loaded SVG images can also be used.) The victim must click on the attachment, an act that generates a Windows save file prompt asking the victim for the save directory to which the now .HTA file will be downloaded.