Malware Gambit Uses Facebook, Google Chrome and SVG Images

Written by

Malware is spreading via Facebook, through messages that contain only an image.

According to security researcher Bart Blaze, the images have an extension for Scalable Vector Graphics (SVG), an XML-based vector image format for two-dimensional graphics, with support for interactivity and animation. This means that someone can embed any type of content, and any modern browser will be able to open the file.

It was also able to make it through Facebook’s filter—something that the social network has now fixed.

“Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image had been sent automatically, effectively bypassing Facebook's file extension filter,” Blaze said.

If a user clicks on it, he or she is redirected to a fake YouTube site in the Chrome browser, which pops up the message, "You must install the codec extension to watch this video."

That extension, which was in the Chrome store and thus evidently bypassed Google’s vetting process as well, is in reality the Nemucod downloader, which harvests credentials and is capable of spreading malware.

One security researcher got ransomware as an ultimate payload, tweeting:


Confirmed! #Locky spreading on #Facebook through #Nemucod camouflaged as .svg file. Bypasses FB file whitelist.

Blaze notified the Facebook and Google Chrome security teams; Facebook is now filtering for SVG files, and the rogue Chrome extension was removed from the store.

Anyone affected should remove the malicious extension from their browser, run an antivirus scan and change the Facebook password afterwards. People should also notify any friends who received a malicious file from them.

“As always, be wary when someone sends you just an 'image'—especially when it is not how he or she would usually behave,” Blaze said. “Additionally, even though both Facebook and Google have excellent security controls/measures in place, something bad can always happen.”

Photo © rvisoft/

What’s hot on Infosecurity Magazine?