Checkpoint security have uncovered a dangerous new method for spreading Locky ransomware through Facebook Messenger known as ImageGate.
Locky Infects Users via Facebook Messenger in the ImageGate Attack
Checkpoint security researchers have uncovered a new obfuscation tactic which has been used by various computer criminals to spread Locky ransomware and other malware threats via Facebook Messenger. This attack has been titled Imagegate by several securit experts and is growing in size as we speak.
The researchers have not disclosed any details about the flaw as it has not been mitigated by the social network, other related services are also impacted including LinkedIn.
A proof-of-concept demonstrations shows how this attack is initiated.
- The criminal operators send the target users an infected JPG image via Facebook Messenger or another messaging platform which allows these types of files to be transferred between users.
- The victim must click on the attachment which leads to a Windows save prompt. The JPG file is actually a dangerous .hta file which contains the ransomware payload in itself. Spoofing file types has been a frequently used tactic for decades. The attackers have relied on a vulnerability in Facecbook’s security checks which allow the hackers to use this method to infect users.
- Once the victims run the executable the Locky ransomware is deployed
The ImageGate attack can be used to potentially spread any malware type which turns Facebook and other similar online services into a very powerful virus distribution network. Hackers can opt to use various botnets, hacked accounts and counterfeit users to spread spam email messages or use social engineering tactics to cause the infections as long as the security flaw is still in effect.
The Locky malware family is the chosen ransomware for this particular attack campaign as there is no way to decrypt the compromised files without opting to use advanced anti-spyware utilities which depending on the damage may not restore all user data.
ImageGate serves as a reminder that even though users have grown used to the popular social network services and other frequently used sites, this does not mean that they are entirely secure. All principles of good security practices should be followed even then. In this case it seems that the computer users have opted to neglect the most important rule of all – Do not execute files from untrusted sources and especially if they are spoofed.
The social network has already issued a security warning to their customers not to open any such attachments while they fix the security flaw.