Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Image obfuscation script may be behind a huge phishing campaign on Facebook

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

November 25, 2016

Security firm Checkpoint has discovered what appears to be some type of image obfuscation scheme that it thinks could be behind a recent phishing campaign of massive proportions on Facebook that's distributing the nasty 'Locky' ransomware.

Checkpoint hasn't yet released any technical details as the security vulnerability it relies on still impacts both Facebook and LinkedIn, among other unnamed internet properties.

The security bug as described is ultimately of little risk to IT industry readers that know better, but non-suspecting people could easily be tricked into downloading and running nasty executables are at risk.

The attack is also significant in that it breaks Facebook's security controls. In a proof-of-concept video by Checkpoint researchers Roman Ziakin and Dikla Barda, an attacker is shown exploiting the security hole by sending a .jpg image file through Facebook Messenger.

The victim must click the attachment, an act that generates a Windows save file prompt asking the victim for the save directory to which the now .hta file will be downloaded.

Remember that images sent over FB Messenger appear as previews, not attachments. They must then double-click the saved .hta file to unleash the Locky ransomware.

While the attack is not automated and, it does however break Facebook's security model and is regarded by Checkpoint as a Facebook misconfiguration.

Let's all hope that Facebook fixes this big security flaw real soon. It already warns users who open a browser javascript console to protect against malicious code.

Checkpoint's own people say the attack is useful because Facebook is a popular site. “As more people spend time on social networking sites, hackers have turned their focus to find a way into these platforms,” asserted Ziakin.

“Typically, cyber criminals understand these sites are usually white listed, and for this reason, they are constantly searching for new techniques and innovative methods to utilize social media as hosts for their malicious activities," he added.

But those users who do open the .hta file will unleash one of the worst ransomware variants in mass circulation this year, encrypting their local files in a way that leaves backup restoration or ransom payment as the only options available to them.

To this date, there's no known or efficient decryption method for Locky and most victims will find their backup files also deleted, unless stored on removable media.

Worse, it's safe to assume that Locky is under active development in the hacker community. Its authors have recently switched to the .zzzzz encrypted file extension with a new downloader that has lower antivirus detection rates, so people have to be really careful about this all the time.

Source: Checkpoint Security.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer