Over the weekend, a security researcher discovered malware distributed via Facebook messages. Attackers used Facebook messages to send a malicious Scalable Vector Graphics (SVG) image that, when clicked, executes heavily obfuscated JavaScript. The JavaScript ultimately redirects the victim to a fake YouTube webpage that then prompts the user to install a browser extension with permissions to modify any visited webpage. The researcher surmised that the extension is used to further distribute itself to other victims via Facebook messaging, as well as download malware directly to the victim’s machine. A second security researcher later confirmed the extension distributed the Locky ransomware variant.
This isn’t the first, or even the second time that Facebook has been used to distribute malicious browser extensions and ultimately malware. Back in September, criminals posted a hoax news article about Brad Pitt taking his life on Facebook to convince victims into visiting a malicious website. Even earlier in June, a malicious Chrome extension was found distributing malware and replicating automatically by tagging friends of the infected victim in Facebook posts.
Facebook’s widespread popularity makes it an excellent avenue for malware authors to infect many victims, and I don’t expect that to change anytime soon. All three of these mentioned attacks have something in common though, the victim must click something to become infected. Users should always be wary of unsolicited links and images, whether they be received via email or a Facebook message. As we’ve seen, some malware can automatically send itself to the victim’s Facebook friends list. Just because a file came from a friend, doesn’t mean that its safe. –Marc Laliberte