How Adult Sites Exploit SVG Files for Facebook Likes

In recent days, numerous adult websites have resorted to a surreptitious method to boost their presence on social media, notably Facebook, by infusing malware within .svg files. These malicious tactics enable the sites to gain 'likes' without users' direct interaction.

The SVG (Scalable Vector Graphics) format, a standard for rendering two-dimensional images, allows for high-quality scaling due to its XML-based coding. Despite these advantages, SVG's ability to embed HTML and JavaScript makes it a potential carrier for malicious code, posing security threats like cross-site scripting and HTML injection.

Unveiling the Covert Clicks

Security experts at Malwarebytes recently uncovered adult websites using booby-trapped .svg files. When clicked by unsuspecting users, these files manipulate browsers to inadvertently 'like' promotional Facebook posts, boosting the websites' visibility.

This investigation revealed that the malicious JavaScript within the SVGs was heavily obfuscated, using a cryptic encoding method known as 'JSFuck'. Once decoded, this script triggers a sequence of further hidden JavaScripts.

The ultimate threat is a script dubbed Trojan.JS.Likejack, which automatically 'likes' posts on Facebook if a user is logged in, all without their knowledge. "This technique of covertly clicking 'Like' buttons aids adult content promoters," noted Malwarebytes researcher Pieter Arntz.

SVG Exploits: A Recurring Threat

Previously documented malicious uses of the SVG format include a 2023 attack by pro-Russian hackers exploiting a webmail vulnerability, and a phishing scam that deceived users into fake login screens.

Malwarebytes identified multiple adult websites, primarily using WordPress, engaging in these unscrupulous practices. Facebook's policies shut down such accounts frequently, but offending profiles re-emerge through new accounts.