Recently, security researchers at Check Point Software Technologies Ltd. have discovered a new malware attack method, called ImageGate. Because users typically spend a lot of time on social media and they trust them as safe websites, hackers recently discovered how to bypass popular social media network's security controls. (This particularly nasty outbreak of ransomware, dubbed ImageGate, helps us all remember avoid clicking on any random images downloaded from your favorite social network.)
ImageGate is similar to Locky Ransomware, which was first discovered earlier in 2016. As the name implies, it locks up a victim’s computer by encrypting their files and demanding a ransom of .5 bitcoins (about $365) in exchange for a key. (Ransomware is a form of malware that encrypts a user’s data and prevents them from accessing their personal files until they pay the hacker for their files back. Sometimes users are requested to pay hundreds of dollars in order to receive a decryption key. Usually, ransomware is transmitted through infected email links, malicious websites or popup messages, as described here...)
However, earlier this week, Hacker News reported that a Facebook spam campaign was spreading Locky through image files in the SVG format. At the time, Facebook denied that this was happening. Now, security firm Check Point says that Locky is being embedded into several graphic formats and spread through “social media applications such as Facebook and LinkedIn.” The firm has put together a helpful video with a laughably ominous soundtrack for you:
Check Point claims that hackers have been focused on finding exploits in social networks because they are usually “white listed.” The firm’s research found that hackers have found “a new capability to embed malicious code into an image file and successfully upload it to the social media website.” When a victim clicks on the image, the image is automatically downloaded. When the image is opened, the ransomware automatically locks up all their data and leaves a text file in each encrypted directory. That file points to servers on the anonymizing Tor network where the victim can make a payment to retrieve their data.
For now, Check Point says that they aren’t releasing full technical details until they know the problem has been fixed. They say they informed Facebook and LinkedIn back in September. Those are the only two social networks that they mention by name but they do not specify if those are the only two that are being used for attacks.
In any event, avoid further opening any social media images that automatically download.
Also, don’t open image files with “unusual extensions such as SVG, JS or HTA.”
4 Tips to Protect Yourself From ImageGate Ransomware
- If you receive an image randomly, do not click on it
- Beware of image files that have unusual extensions (such as.svg, .js, or .hta)
- If you click on an image and your browser begins downloading a file, do not open it. Delete it immediately
- Ensure you have an updated antivirus and anti-malware software installed on your PC to ensure your protection against ransomware attacks
While waiting for Facebook and LinkedIn to improve their security controls, stay vigilant, be aware of ImageGate and as always - avoid opening unsolicited messages.