Locky hidden in image file hitting Facebook, LinkedIn users

Malware masquerading as an image file is still spreading on Facebook, LinkedIn, and other social networks.

Check Point researchers have apparently discovered how cyber crooks are embedding malware in graphic and image files, and how they are executing the malicious code within these images to infect social media users with Locky ransomware variants.

“The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file,” they noted.

They dubbed this attack vector ImageGate, and have shared their knowledge with Facebook and LinkedIn in early September.

As the malware delivery campaigns continue, it’s safe to say that the social networks have yet to fid a way to fix this issue without damaging their own functionalities.

As they are searching for a solution, the Check Point research team advises users not to open any image they have received from another user and have downloaded on their machine.

“Any social media website should display the picture without downloading any file,” they pointed out, so there is no particular need to open any image file. They also advise users not to open any image file with an unusual extension (e.g. SVG, JS or HTA).

The good news about this particular attack vector that it’s not automatic, i.e. it requires users to actually download and run the malicious files themselves. The bad news is that users like to look at image someone has sent them.

A video demonstration of the attack can be viewed below: