How Your Facebook Photos Could Give You Malware

What do Leslie Jones, 500 million Yahoo accounts, America's voting system, Mark Zuckerberg, and your iPhone (probably) all have in common? Hackers. Hacking and security breaches blew up into a bigger deal than ever in 2016, to the point that practically every fortnight, there's news of another near-catastrophic breach in security.

Now, the latest scare comes from a security group called Check Point, which found that, potentially, images on LinkedIn and Facebook could be exploited to put malicious code on your computers. No official cases have been reported or confirmed by Facebook or LinkedIn yet, though Check Point notified them of the vulnerability in September.

It'd work like this...

According to Check Point, a corrupted image file would download to a user's computer, which unbeknownst to them would contain the notorious "Locky" ransomware. The unsuspecting user could then open the file, which would then trigger the release of the ransomware and install Locky. Locky is a malware released in early 2016, and is typically delivered via email, in Microsoft Word documents. Once installed, it will encrypt files and directories on a victim's computer and demand payment of about half a Bitcoin, or $365.

Digital security firm Malwarebytes conducted an analysis on Locky earlier this year, concluding "it is well prepared, which means that the threat actor behind it has invested sufficient resources for it, including its mature infrastructure." It hit a Kentucky hospital for medical data back in July. Shit is scary.

But using Locky through images is entirely new, and potentially even scarier. Check Point even referred to its findings as ImageGate.

That said, Facebook and LinkedIn aren't fretting over it

Facebook, for its part, denied any vulnerability to Ars Technica, and also denied the tie to Locky. Instead it blames bad Chrome extensions. Here's the company's full statement:

This analysis is incorrect. There is no connection to Locky or any other ransomware, and this is not appearing on Messenger or Facebook. We investigated these reports and discovered there were several bad Chrome extensions, which we have been blocking for nearly a week. We also reported the bad browser extensions to the appropriate parties.

After Thrillist reached out to LinkedIn, a spokesperson provided us with this:

We investigated this report and believe this method is not especially effective. While we have not found any exploitation of our platform using this vulnerability, we are taking additional steps to ensure our members are protected.

LinkedIn did not comment when asked what those "additional steps" were. Of course, though the social media companies claim to be secure, it doesn't help you much if you actually find yourself at the mercy of potentially having downloaded malware to your computer.

What to do if you think you have malware

No matter where the problem comes from, it's important to understand that malware and threats to your digital security are everywhere these days, from 10 million devices in China to Zuck's webcam. It pays to be vigilant.

The best possible thing you can do is never open a suspicious file you don't recognize. Especially if you know it to be an image file with a wonky extension, like SVG, HTA, or JS -- though Check Point reported some JPGs and PNGs were also compromised. Additionally, Naked Security has compiled a good list of Locky-specific prevention measures. Use 'em, even if it isn't Locky.

Whether the vector in this case was actually Facebook, LinkedIn, or a dumb Chrome extension you downloaded to take screenshots, Check Point's statement is still a helpful one: "Cyber criminals understand [social media] sites are usually 'white listed,' and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities."

The more trust you place in something, the easier it is to burn you with it.

H/T: Ars Technica

Sign up here for our daily Thrillist email, and get your fix of the best in food/drink/fun.

Eric Vilas-Boas puts zero faith in the machines he uses to read and write things for mass consumption, but goddamn, does he love hiking.