Suspicious Images on Social Media Are Spreading Malware to Your Computer

Steganography, the practice of concealing a hidden message or other data in an otherwise legitimate- or innocent-looking image, is something that has been around since ancient Grecian times as a way to sneak information passed enemies without them realizing it.  Whereas in those days, the images were hidden in paintings, texts, and sculptures, today, they are ‘hidden’ on the Internet in plain sight all across social media in the form of malicious images.


Users of social media sites such as Facebook and LinkedIn are being infected by hackers who are embedding malicious code into image files that then deliver malware to innocent users’ computers in a new attack vector, jokingly refered to as ‘ImageGate.’ The attackers exploit a misconfiguration in security on the websites to deliberately force their victims to download the image file which begins its infection once the downloaded malicious file has been clicked on.

The company who has been conducting much of the research surrounding these malicious files is Israeli software technology company, Check Point. The company’s research team uncovered a few methods that could be fueling this new attack vector; Oded Vanunu, head of products vulnerability research at Check Point states, “Our primary finding is embedding an .HTA format into an image file (could be a JPEG too), which is relevant to all browsers. . . It can also be executed with a .SVG file that is embedded into Java Script.” A Scalable Vector Graphics, or .SVG, file is a fairly new file type that is very attractive to cyber-criminals. SVG is XML-based, meaning a criminal can embed any type of content they want – like malicious JavaScript code, as mentioned by Vanunu.

If a user does end up clicking on these files, the malicious image will direct them to a website that appears to be YouTube, however, its URL shows that it obviously is not a legitimate YouTube link. Once the page is loaded, the victim is prompted with a vicious Chrome extension pop-up in order to play the video that’s shown on the page. If the extension is installed, the attack is then spread further via Facebook Messenger and it sometimes even installs the Nemucod downloader, which ultimately delivers the Locky variant of ransomware.

Social Networks’ Comments

Facebook and LinkedIn, the primary sites that are affected by the malware- and ransomware-ridden images, have both commented on the issue:

Facebook representatives said:

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties.”

LinkedIn also addressed ImageGate via a company spokesperson who said:

“We investigated this report and believe this method is not especially effective. . .While we have not found any exploitation of our platform using this vulnerability, we are taking additional steps to ensure our members are protected.”

How to Avoid Infection

Though it is apparent that social media sites are adamant that these threats are not a serious issue, many users have claimed ‘ImageGate’ has affected them personally. Regardless of whom you choose to believe, it is important to take any possible precautions you can in order to avoid attack.

  1. To avoid infection, social media users should avoid opening files that are downloaded as a result of clicking on an image, or that contain unusual file extensions such as .SVG, .SJ or .HTA. Some of these files are downloaded in the background, so users do not see them initially; this is why it is important to be cautious of these file extensions when clicking on any file that is on your computer, as it may have been lying dormant in the background without your knowledge or consent. The threat that ImageGate poses can only come to fruition if the user clicks on the malicious files, so avoid clicking on those at all costs.
  2. Be wary of messages you receive that are just an ‘image’ – especially if it is in a manner in which the sender would not usually behave. Many of the malicious images people claim to have Locky ransomware embedded in them have been sent through Facebook Messenger, not just images on users’ homepages.
  3. Stay up-to-date on your security measures when it comes to social media. Change your password often and take advantage of many sites’ two-factor authentication feature in order to better protect your accounts with minimal effort required on your end.
  4. Do not click on any suspicious-looking pop-up extensions such as the Chrome extension used to spread Locky ransomware. If something doesn’t look right about the image or the pop-up, there probably is something wrong with it. Trust your gut and avoid these malicious links.

Hailey R. Carlson | Axiom Cyber Solutions | 12/8/2016