Locky Ransomware Uses Decoy Image Files To Ambush Facebook, LinkedIn Accounts (arstechnica.com)

← Back to Stories (view on slashdot.org)

Locky Ransomware Uses Decoy Image Files To Ambush Facebook, LinkedIn Accounts (arstechnica.com)

Posted by BeauHD on Friday November 25, 2016 @11:45AM from the sneak-attack dept.

An anonymous reader quotes a report from Ars Technica: A low-tech but cunning malware program is worrying security researchers after it started spreading rapidly in the past week through a new attack vector: by forcibly exploiting vulnerabilities in Facebook and LinkedIn. According to the Israeli security firm Check Point, security flaws in the two social networks allow a maliciously coded image file to download itself to a user's computer. Users who notice the download, and who then access the file, cause malicious code to install "Locky" ransomware onto their computers. Locky has been around since early this year, and works by encrypting victims' files and demands a payment of around half a bitcoin for the key. Previously, it had relied on a malicious macro in Word documents and spam e-mails, but Check Point says that in the past week there has been a "massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign." Users are advised not to open any file that has automatically downloaded, especially any image file with an unusual extension such as SVG, JS, or HTA -- though benign-looking images could exploit the way Windows hides file extensions by default.

9 of 36 comments (clear)

Min score:

Reason:

Sort:

But... Does it run on Linux? by mspohr · 2016-11-25 11:52 · Score: 3, Insightful

... or OSX ... or ChromeOS ... or iOS ... or Android?
We really need to know these things.
Or should we always just assume it's Windows all the time?

--
I don't read your sig. Why are you reading mine?
Damnit by JustAnotherOldGuy · 2016-11-25 11:57 · Score: 3, Interesting

Damnit, I don't have a Facebook account so I never get to enjoy all these new malware strains.

--
Just cruising through this digital world at 33 1/3 rpm...
"maliciously coded image file"? by Anonymous Coward · 2016-11-25 12:01 · Score: 4, Insightful

the two social networks allow a maliciously coded image file to download itself to a user's computer.
WTF is a "maliciously coded image file"?
What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun? And WHICH image viewer has a vulnerability to the offending image? That is a key point, so that we can avoid the vulnerable software. Certainly not all of them would be vulnerable.
Or, maybe, just maybe, this is actually not an image file at all, but a native executable, and stupid operating systems that present it as if it was an image file proceed to run the executable when it is double clicked, combined with stupid users who 40 years after the personal computing revolution started still don't have the slightest idea what they are asking computers to do, are having problems? If so, then why not say so, rather than pretend this is some utterly inexplicable sequence of events?
And while we're at it, what does "download itself to a user's computer" mean?
1. Re:"maliciously coded image file"? by rudy_wayne · 2016-11-25 12:51 · Score: 3, Informative
  
  WTF is a "maliciously coded image file"?
  What is the format of this file? JPG? PNG? How, precisely, is it exploiting the image viewer? Via buffer overrun?
  
  Details are not available yet. According to one story, the people who discovered the exploit are not talking about details until it has been patched. I don't know if it's relevant but the story specifically mentions SVG and today i learned that you can embed Javascript code into an SVG image file. Since the only SVG image viewer that most people have is a web browser, this could be one possible attack vector.
2. Re:"maliciously coded image file"? by TechyImmigrant · 2016-11-25 14:14 · Score: 4, Insightful
  
  >today i learned that you can embed Javascript code into an SVG image file
  And today I learned that from you.
  It's like people just can't stop themselves from making declarative things executable in full knowledge that it will lead to a fresh source of attack vectors that will be exploited for years to come. I expect there is no switch, defaulted to 'off' to prevent the execution of javascript in places it shouldn't be, like in SVG in any browser I use. I can't find such a thing in Chrome.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Re:Granting blind permission by CaptainDork · 2016-11-25 12:30 · Score: 2

Stupidity and ignorance may yield the same results, but one is voluntary; the other isn't. ~ © 2016 CaptainDork

--
It little behooves the best of us to comment on the rest of us.
Gifar by manu0601 · 2016-11-25 13:58 · Score: 2

This looks like the ancient Gifar attack: inject some executable content identified as an image.
Re:What do you mean by access? by ArmoredDragon · 2016-11-25 15:13 · Score: 2

It mostly takes advantage of naive users, but really it was incredibly stupid of Microsoft to hide file extensions by default all those years back. It's been a major security pain point for a very long time, and yet still it remains.
Re:But... Does it run on Linux? by davester666 · 2016-11-25 21:38 · Score: 2

who cares? I don't use facebook or linkedin, and my computer blocks resolving those domains.

--
Sleep your way to a whiter smile...date a dentist!