Researchers have discovered that it is possible to share ransomwarea through Facebook with what appear to be simple images.
Sharing malware through Facebook is not easy; The social network has its own measures to prevent any suspicious file from passing through its servers and even users.
However, some hackers appear to have skipped those steps, and are sharing ransomware via Facebook; if users open those files, they will end up infected. This technique is known as ImageGate.
ImageGate, a method to share ransomware through Facebook
The interesting thing is that at first glance the file looks like an image; Users who have suffered the attack initially received an image of one of their friends via Facebook Messenger (also works on LinkedIn). At first glance it looks like a normal jpg image.
If we click on the image to see it larger, the Windows message will appear to save the file; only then will we realize that it has a strange extension. Some of the extensions used are known to be .hta, svg or js. The .zzzzz extension has also been added recently.
But of course,It is very easy that we do not look at the file extension once we have clicked to download it; especially if it initially looked like it had the .jpg extension.
Finally, if we click on the file (or in the browser’s download bar) to see the image in full size, we will be infected.Locky is the ransomware most used by attackers using this attack vector.
How can we avoid becoming infected using Facebook
Locky works like most ransomware; encrypt all our files and then request a payment in Bitcoin to get the key to decrypt them. Experts recommend against paying attackers, because there is never any certainty that we will actually recover the files.
For this reason, the experts who have discovered the Facebook and LinkedIn bug recommend taking two steps to protect ourselves:
- If you click on an image and it asks you to save a file, don’t do it; All the images they share with you on Facebook should be seen in the browser itself.
- Do not open images with strange extensions, regardless of where you got them.