Facebook and LinkedIn Spam Campaign Spreads Locky Ransomware

Share this…


An ongoing spam campaign is using boobytrapped image files to download and infect users with the Locky ransomware, Israeli security firm Check Point reports.

aMalware authors are spreading malicious image files via these two platforms. When users detect the automatic download, if they access the malformed image, malicious code will install the Locky ransomware on their computers.

Vulnerabilities in Facebook and Linked remain unfixed

Check Point has declined to provide any technical details at the time of writing because both Facebook and LinkedIn haven’t fixed the vulnerability exploited by the attackers. The company says it reported the issue back in September.

The company has warned users about opening what looks to be an image files with unusual extensions, such as SVG, JS or HTA.

This makes us believe the spammers are using double extensions to hide the true nature of the file. By default, Windows hides a file’s extension. So when you see a file like image.jpg, it may be actually hiding a second extension, such as image.jpg.hta or image.jpg.js.

The file extensions which Check Point mentioned, SVG, JS, and HTA, have the ability to download content from an online server and run it.

The criminal group behind the Locky ransomware has used JS and HTA files to install their malware in the past, albeit via file attachments that arrived via spam emails, but not social media.

Might be related to another Facebook spam campaign reported on Monday

This campaign looks to be related with a Facebook DM spam run discovered by security researcher Bart Blaze on Monday.

Blaze reported that crooks were using Facebook to spread around a malicious SVG file that included malicious JavaScript code that downloaded the Nemucod malware and then the Locky ransomware.

For the time being, it may be safe to avoid opening any unsolicited file you receive via private messages on Facebook or LinkedIn, or files that mysteriously download to your PC.