Facebook Denies Researchers' Claim Ransomware Spreading via Images

Researchers at Check Point Software Technologies allegedly find images spreading ransomware on social media sites, but Facebook calls their research "incorrect."

Malware Images 2

Researchers at security firm Check Point Software Technologies warned social media users that online criminals have begun using specially crafted image files to spread ransomware using a weakness in some social media services.

The report, posted to the company's website, came as attackers used Facebook and other services to spread images containing links to sites that would try to trick users into downloading the Locky ransomware. The company's researchers claimed Nov. 24 that it had found an additional infrastructure weakness in some social media services that allowed the attack to be more effective.

"The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file," the Check Point researchers said. "This results in infection of the users' device as soon as the end-user clicks on the downloaded file."

On Monday, however, Facebook denied the issue and called the research "incorrect."

"There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook," the company said in an e-mail statement sent to eWEEK.

The social media giant said it had first learned of the potential issue on Nov. 22, which Check Point described as an URL-handling issue that emerges in Firefox. Last week, the company said that another group of attacks used malicious or insecure extensions in Chrome to propagate ransomware links.

"We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week," Facebook said in its statement. “We also reported the bad browser extensions to the appropriate parties."

The spat between Facebook and Check Point is unusual, because the security firm claimed in its blog post that it had contacted both Facebook and LinkedIn about this issue in September.

If image files are involved, it would not be the first time that attackers had found a way to use graphics to spread malware. Vulnerabilities in frequently used image libraries have led to attacks embedded in images.

"The concept of spreading through images is not new—we have seen this for at least 10 years," Derek Manky, global security strategist for Fortinet, told eWEEK. "If it is an image-based exploit, it will rely on the image renderer—the parser—to trip up on the malicious code embedded in the image to execute malicious instruction, (such as) download the Locky payload."

Yet, with Facebook refuting Check Point's research, the only certainty is that attackers are looking to social media as a better way to spread malware.

"As more people spend time on social networking sites, hackers have turned their focus to find a way in to these platforms," researchers from Check Point stated in its blog post. "Cyber-criminals understand these sites are usually whitelisted, and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities."

Check Point recommended that users do not open image files downloaded from the Internet, adding that "any social media website should display the picture without downloading any file." In addition, users should not open any purported images with an unusual extension, such as SVG, JS, or HTA.

Requests for comment from Check Point were not immediately returned.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...