Is ransomware targeting Facebook Messenger users?

CheckPoint says it's found ransomware, but Facebook disagrees

A phishing campaign could be distributing ransomware through Facebook Messenger and LinkedIn, according to security firm Check Point, but Facebook has denied this is the case.

Affected users receive a jpeg image file through Facebook Messenger, which appear as a file preview, not an attachment. If they click on the image, they are asked to select a directory in which to download the file. The scam, dubbed ImageGate, embeds the malware into the file, the research firm said.

CheckPoint claimed that double clicking on the saved file releases Locky ransomware, which encrypts files on users' devices, and only grants access after they pay a ransom, though Facebook said the files only lead to bad Chrome extensions. 

In a post about these attacks, Check Point researchers Roman Ziakin and Dikla Barda wrote: "In the past week, the entire security industry is closely following the massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign."

The post adds: "As more people spend time on social networking sites, hackers have turned their focus to find a way into these platforms. Cyber criminals understand these sites are usually 'white listed', and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities."

With Locky, there is no way of decrypting files without paying the ransom. Its creators also recently switched to a different encryption extension (.zzzzz), that prompts a different downloader and is harder for an antivirus to detect.

However, IT Pro understands the impact of ImageGate on Messenger users is very limited, and Facebook said it is already blocking the extensions it says these files lead to.

A Facebook spokesperson said: "We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware - rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties."

Picture credit: Facebook

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Google, Facebook fined €210 million for making it difficult for users to reject cookies
Policy & legislation

Google, Facebook fined €210 million for making it difficult for users to reject cookies

6 Jan 2022
Meta makes 2FA mandatory for high-risk users
two-factor authentication (2FA)

Meta makes 2FA mandatory for high-risk users

3 Dec 2021
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021

Most Popular

Google Cloud to open new office in Pune, India
Cloud

Google Cloud to open new office in Pune, India

24 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022