Locky Ransomware Uses Decoy Image Files To Ambush Facebook, LinkedIn Accounts

An anonymous reader quotes a report from Ars Technica: A low-tech but cunning malware program is worrying security researchers after it started spreading rapidly in the past week through a new attack vector: by forcibly exploiting vulnerabilities in Facebook and LinkedIn. According to the Israeli security firm Check Point, security flaws in the two social networks allow a maliciously coded image file to download itself to a user's computer. Users who notice the download, and who then access the file, cause malicious code to install "Locky" ransomware onto their computers. Locky has been around since early this year, and works by encrypting victims' files and demands a payment of around half a bitcoin for the key. Previously, it had relied on a malicious macro in Word documents and spam e-mails, but Check Point says that in the past week there has been a "massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign." Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA -- though benign-looking images could exploit the way Windows hides file extensions by default.

But... Does it run on Linux?

[mspohr]

... or OSX ... or ChromeOS ... or iOS ... or Android?
We really need to know these things.
Or should we always just assume it's Windows all the time?

"maliciously coded image file"?

the two social networks allow a maliciously coded image file to download itself to a user's computer.

WTF is a "maliciously coded image file"?

What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun? And WHICH image viewer has a vulnerability to the offending image? That is a key point, so that we can avoid the vulnerable software. Certainly not all of them would be vulnerable.

Or, maybe, just maybe, this is actually not an image file at all, but a native executable, and stupid operating systems that present it as if it was an image file proceed to run the executable when it is double clicked, combined with stupid users who 40 years after the personal computing revolution started still don't have the slightest idea what they are asking computers to do, are having problems? If so, then why not say so, rather than pretend this is some utterly inexplicable sequence of events?

And while we're at it, what does "download itself to a user's computer" mean?

Re:"maliciously coded image file"?

[TechyImmigrant]

>today i learned that you can embed Javascript code into an SVG image file

And today I learned that from you.

It's like people just can't stop themselves from making declarative things executable in full knowledge that it will lead to a fresh source of attack vectors that will be exploited for years to come. I expect there is no switch, defaulted to 'off' to prevent the execution of javascript in places it shouldn't be, like in SVG in any browser I use. I can't find such a thing in Chrome.