Risque SVG Images: The Undercover Agents of Malware
In an unsettling trend, numerous adult websites have been leveraging malware camouflaged within .svg image files to surreptitiously amass likes on Facebook. This digital subterfuge signifies a novel twist in the way unsavory actors are compromising user security.
Scalable Vector Graphics (.svg) is a file format known for its adaptability in rendering two-dimensional images. Unlike more common file types like .jpg or .png, .svg files utilize XML-based text, allowing them to be resized without loss of quality. However, this text-based nature opens a perilous door: the integration of HTML and JavaScript within .svg files, which can be manipulated for various cyber attacks, including cross-site scripting, HTML injection, and denial of service.
Recently, security experts at Malwarebytes uncovered that certain adult sites are embedding compromised .svg files, which trigger browsers to unknowingly endorse their content on Facebook. When users click these files, the obscured JavaScript exploits, often encrypted with techniques like 'JSFuck', come into play, launching unsuspecting browsers into promoting these sites via innocent ‘likes’.
The embedded code unfolds in stages, ultimately delivering a nefarious script known as Trojan.JS.Likejack. This script silently interacts with a user’s Facebook account, clicking 'Like' on designated posts without their explicit consent, provided the user is logged in.
Security researchers have traced the misuse of the .svg format to various cybercriminal activities before. In 2023, .svg tags were employed by pro-Russian hackers to compromise thousands of webmail services utilizing cross-site scripting bugs. It’s a potent reminder of the exploitative potential lying dormant within this otherwise innocuous file format.
Malwarebytes has flagged numerous WordPress-managed adult sites engaged in this deceptive act, highlighting a recurring challenge for platforms like Facebook. Despite regular shutdowns of dishonest accounts, such perpetrators consistently reappear with renewed vigor under new aliases.
