Is ransomware targeting Facebook Messenger users?

CheckPoint says it's found ransomware, but Facebook disagrees

A phishing campaign could be distributing ransomware through Facebook Messenger and LinkedIn, according to security firm Check Point, but Facebook has denied this is the case.

Affected users receive a jpeg image file through Facebook Messenger, which appear as a file preview, not an attachment. If they click on the image, they are asked to select a directory in which to download the file. The scam, dubbed ImageGate, embeds the malware into the file, the research firm said.

Advertisement - Article continues below

CheckPoint claimed that double clicking on the saved file releases Locky ransomware, which encrypts files on users' devices, and only grants access after they pay a ransom, though Facebook said the files only lead to bad Chrome extensions. 

In a post about these attacks, Check Point researchers Roman Ziakin and Dikla Barda wrote: "In the past week, the entire security industry is closely following the massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign."

The post adds: "As more people spend time on social networking sites, hackers have turned their focus to find a way into these platforms. Cyber criminals understand these sites are usually 'white listed', and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities."

Advertisement
Advertisement - Article continues below

With Locky, there is no way of decrypting files without paying the ransom. Its creators also recently switched to a different encryption extension (.zzzzz), that prompts a different downloader and is harder for an antivirus to detect.

Advertisement - Article continues below

However, IT Pro understands the impact of ImageGate on Messenger users is very limited, and Facebook said it is already blocking the extensions it says these files lead to.

A Facebook spokesperson said: "We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware - rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties."

Picture credit: Facebook

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement

Recommended

How can you protect your business from crypto-ransomware?
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
The House of Lords will never bring tech giants to book
IT regulation

The House of Lords will never bring tech giants to book

8 Aug 2020
Twitter, Facebook remove Trump posts containing misinformation
social media

Twitter, Facebook remove Trump posts containing misinformation

6 Aug 2020
Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020