Users of Facebook, LinkedIn and other social media sites should avoid clicking on and downloading image files that appear without pictures, as they could launch ransomware attacks on their devices.
The suspicious images represent a new “ImageGate” attack vector for the Locky ransomware, according to a Thanksgiving Day blog post by security company Check Point. By exploiting a misconfiguration in social media sites, malicious actors can embed the ransomware code into image files that they then post on social media sites.
After clicking on and downloading these image files, users will discover that all the files on the affected devices are automatically encrypted and inaccessible to them. The only way they can unlock their files is by paying a ransom to the hackers responsible, Check Point warned.
Exploiting Social Media ‘White Listing’
Check Point researchers Roman Ziskin and Dikla Barda said they discovered how ImageGate works while investigating the recent “massive spread” of Locky ransomware via social media sites. Released earlier this year, Locky has been blamed for numerous attacks, including one in which a California hospital had to pay a ransom of about $17,000 in bitcoin to unlock its files.
The latest spate of Locky attacks spread via a Facebook-based campaign, according to Ziskin and Barda. Other social networking sites such as LinkedIn have also been affected, they added.
“Check Point researchers strongly believe the new ImageGate technique reveals how this campaign was made possible, a question which has been unanswered until now,” they said. Check Point alerted both Facebook and LinkedIn of its findings early in September, they said.
“As more people spend time on social networking sites, hackers have turned their focus to find a way in to these platforms,” Ziskin and Barda said. “Cyber criminals understand these sites are usually ‘white listed’, and for this reason, they…