According to Checkpoint researchers, a variant of Locky malware is embedded in some Facebook and LinkedIn images. The malware deliberately forces the download of such images on users’ computers and then encrypts their files.
Locky is a malicious ransom malware, which is usually delivered through email in a word documents. Once user opens it, it automatically encrypts user’s files and demands a ransom for the key if users want to get their files back. This virus has been going around since earlier this year and it has infected many computers.
This recent attack on social media is a different form of Locky as it attacked through emails before. What happens is, user clicks a picture and instead of opening, it downloads on its own. That’s the Locky malware. Users are strictly advised to not open such files which they don’t recall downloading. According to CheckPoint’s research,
“The attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.
As more people spend time on social networking sites, hackers have turned their focus to find a way in to these platforms. Cyber criminals understand these sites are usually ‘white listed,’ and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities.”
Watch the demo: https://youtu.be/sGlrLFo43pY
Facebook’s stance on the malware
A facebook’s spokesperson told engadget that the reports are wrong. The malware downloads because of some bad chrome extensions. He said,
“This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook. We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week. We also reported the bad browser extensions to the appropriate parties.”
How to stay protected?
- If you open a picture on social media and it starts downloading on its own, do not open it.
- Don’t open any files which you don’t remember downloading.
- Don’t open any file with unusual extension like SVG, JS or HTA.
- Install a good antivirus software on your PC.