Researchers at security firm Check Point claim to have discovered a new attack vector dubbed ImageGate which adds malicious malware to images propagated via websites like Facebook and LinkedIn. It’s apparently a variant of the notorious Locky ransomware which shuts down all processes until their victims cough up cash.
As per Check Point’s investigation, the people behind these attacks have built a new capability which embeds malware code into a photo. They then proceed to upload the picture on to a social media website such as Facebook, taking advantage of a flaw in the social media infrastructure to force targets into downloading the image.
The infection hits the victim’s device the moment they open the corrupted photo, as can be seen in the demonstration video below. All their files become encrypted and can only be unlocked once the ransom is paid up. The ransomware is supposedly still active and has been spreading across social media sites for weeks due to their white listed status.
Check Point is now advising people to avoid opening an image which starts downloading when clicked on since most social media sites display photos automatically without any kind of downloading. Moreover, the firm says people shouldn’t open a snap with an unusual file extension such as SVG or HTA.
Check Point says it alerted Facebook and LinkedIn to its findings back in early September. A Facebook spokesperson has now told Engadget that the company’s analysis is wrong. They assert that there is no connection to Locky and the issue isn’t appearing in Messenger or Facebook.
Facebook’s own investigation has lead to the conclusion that the problem came about as a result of several bad Chrome extensions which it has taken care to block for nearly a week. The brand has now reported the bad browser extensions to the relevant parties.