Malware hijacks users' PC using Facebook and LinkedIn images

28 Nov 2016

Researchers at Check Point have found that a variant of known ransomware Locky, was taking advantage of flaws in the way Facebook and LinkedIn (among others) handled images. The trick forced users' browser to download a maliciously coded image file that hijacked users' system the moment it was opened. When users did so, their files were encrypted until they paid up.

While the actual Locky code was quite simple and easy to avoid if one was aware, it was the delivery mechanism that had analysts worried. Many security apps explicitly trusted big social networks, and many people were not used to worrying about their downloads at sites like Facebook.

Meanwhile, Ars Technica, last week quoted Israeli security company Check Point as saying, a ''massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign.''

Typically what happened was that when one clicked on an image thumbnail, rather than displaying the image, in a separate window, the file automatically downloaded.

Most people would naturally, click on the downloaded image and that was what executed the Locky code and immediately locked up all user files and demanded ransom.

Vulnerabilities in Facebook and LinkedIn had been exploited by the perpetrators of the Locky attack, according to Check Point. ''The attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users' device as soon as the end user clicked on the downloaded file."

Check Point stated it had earlier informed Facebook and LinkedIn of the vulnerability currently being used in the ransomware attack, but would not make the details public until those social media and other major sites fixed the security flaw.