Facebook Malware Attack Warning
We’re receiving reports that Facebook is being used as a new vector for executing malware attacks, specifically as a means to distribute the Locky ransomware. While the ransomware variant is not being hosted directly on Facebook, this new version is being hosted in a peculiar way.
The attack starts by a presumably infected machine sending out a message to people in your friends list. This message is actually a SVG (Scalable Vector Graphics) file that is being masqueraded as an image for you to download to view. Once the file has been downloaded and opened, the payload is delivered. Because of the way SVG files work, JavaScript can be embedded into those files and opened with a modern web browser. That JavaScript will then execute and direct the user to a website that mimics YouTube, but with a completely different URL.
Once on that site, a popup is pushed to the user asking them to download a certain extension on your machine in order to view the video. After the extension has been installed, the attackers have the ability to view and alter data regarding the websites you visit, as well as access your Facebook account in order to message all of your friends with the same SVG file.
The payload is delivered through the Nemucod downloader Trojan, which has been known to download copies of Locky on victim’s PCs.
While Google and Facebook have been made aware of this attack, it is possible that proper remediation could take time. The best course of action if you receive such a message is to ignore it, clear your conversation history with that person, and report them to Facebook as having a compromised account.
If you have already been infected by this attack, there’s not much you can do outside of removing the offending extension in Chrome by going to Menu > More Tools > Extensions and check to see if either Ubo or One extensions are listed. This is also a good time to remove any unknown extensions that are installed as well.
Remember, once you have been locked out of your system by a piece of ransomware, your options for recovery are only as good as the backups you have made. Keep your backups up-to-date, and save your data on an outside drive as frequently as possible. Once a ransomware infection has taken place, any attached drives to your network are at risk. Never keep your backup drives attached to your machine when they are not in use.
Will your scans cleanse these – or will my Firewall protect me – Thank you
Hello Elaine,
New malware/spyware threats, and variants of existing threats, are created daily. We do continually work to improve our detection and removal database, but threats do make it past our software, and past other software products as well. We’ll find things that certain companies won’t, and vice versa, they’ll find things we don’t.
It is also recommended to be “Preventative” about these things, rather then reactive. I recommend reading our blog post called “Prevention is Best” located on the blog.
https://www.superantispyware.com/blog/2016/09/14/prevention-is-best/
-SUPERAntiSpyware Customer Service