Cyber Security

Hackers Are Sneaking Malware Into Facebook Messenger Pictures

If a friend messages you a strange photo, try to refrain from clicking it

Cyber Security
Illustration: R. A. Di Ieso
Nov 21, 2016 at 5:28 PM ET

The next time a long-forgotten Facebook friend sends you an odd picture, it’s probably best to leave it alone.

Cyber-criminals have found a creative way to weasel into your computer: implanting malicious code inside a Facebook Messenger picture.

For the most part, the Facebook messaging app is tightly controlled, and doesn’t give hackers a lot of opportunity to mess with users. The app does allow users to embed a photo into a conversation, however, and that’s how the trick works. Discovered by security researcher Bart Parys, who wrote about it on Sunday after a friend spotted it on Facebook, it relies on the fact that Facebook lets users embed images as .svg files, a lesser-used file extension. It’s possible to fill an .svg file with script, as happened with the attack Parys noticed.

Clicking that photo will direct a user’s browser to open up to what appears to be a YouTube video in Google Chrome. It’s not, though: It’s actually a hoax site that tells a user they must install a Chrome extension to view it.

It’s unclear exactly what happens from there, except that it hijacks a victim’s browser to send the same fake picture to their own friends. Parys noted that’s all that happened when he tested out the malicious Chrome extension, but another researcher, Peter Kruse, the founder of CSIS Security Group, a cybersecurity firm, has claimed it spreads Locky, a common strain of ransomware.

A person with knowledge of how Facebook addresses this problem told Vocativ they had been aware of criminals trying to hijack computers via fake .svg files for several months, and that the company’s security team had been actively combatting it.

Facebook, however, denied that the .svg files were actually used to deliver ransomware. “In our investigation, we determined that these were not in fact installing Locky malware,” a company spokesperson said in a statement issued Monday.

Facebook has blocked links to the fake YouTube site and informed Google of the bogus extensions, a person with knowledge of the situation said. It’s entirely possible, however, that unless Facebook stops embedding .svg files entirely, criminals will continue to find a way to exploit them on the site.