Facebook spam caught delivering Locky ransomware

News by Max Metzger

Over the weekend two security researchers spotted a Facebook spam campaign delivering Nemucod as well as Locky ransomware

A Facebook spam campaign has been found distributing Nemucod and Locky ransomware.  The campaign was discovered by security researchers Bart Blaze and Peter Kruse when the pair saw spam being distributed over the Facebook instant messaging system over the weekend of 19 November.

The campaign itself is nothing new. It hijacks accounts when users click on an SVG image, activating the scam. An SVG image was apparently chosen because it allows code to be put directly into the photo.

The SVG image links to a website which impersonates YouTube and prompts users to install an extension on their computer which asks for permission to “read and change all your data on the websites you visit”. Researchers think that it is through that extension the scam takes hold of its victim's Facebook accounts.

Once an account is hijacked, it will then send on the same lure to all of that account's friends, spreading the infection as widely as possible.  

Scams of this type are not uncommon and are often relatively benign compared to what this particular campaign offered.

Kruse and Blaze spotted the campaign separately, seeing that it downloaded not only Nemucode, a malware downloader but Locky Ransomware, a family which has been raising hell since the beginning of this year, notably being the ransomware that infected Hollywood Presbyterian Medical Centre.

The payload of the campaign could be dangerous, but the lure itself was hardly sophisticated; not only did hackers not target victims, but even those who did click on the SVG image would have had to download an extension as well, leaving plenty of room for the potential victim to smell something fishy.

The real threat, Fraser Kyne, CTO of Bromium told SCMagazineUK.com, “comes from the use of Facebook as a vehicle. People are far more likely to click on a link or download something if it looks like it came from a friend.”

“As with most attacks of this ilk, the bad guys just need a handful of their victims to fall for their ploy in order to be successful, and the self-propagating nature of this particular scam will help to ensure it continues to gather momentum even if most people smell a rat from a mile away.”

Facebook has hundreds of millions of users around the world, so even if 99 percent of people sense something wrong, this suspect campaign will have a large pool of potential victims.  

Kyne added that the credulous aren't the only ones who should be worried though: “Given that so many users check their Facebook at work, there's a big risk of this attack bleeding through into the enterprise. The best thing for businesses to do to minimise their risk is to ensure employees are aware of this scam.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews