Adult Sites Use Malicious .svg Files to Rack Up Likes on Facebook

Dozens of porn sites are exploiting malware to garner likes on Facebook. Unlike previously used methods, these sites are now utilizing .svg image files to house the malicious code. This trend represents a more sophisticated approach to manipulating user interaction on social media platforms.

The Scalable Vector Graphics (.svg) format is an open standard for rendering two-dimensional graphics. Unlike .jpg or .png formats, .svg files employ XML-based text, enabling them to resize without loss of image quality. However, this text-based structure allows the embedding of HTML and JavaScript, which malicious entities can abuse for various attacks, including cross-site scripting and HTML injection.

Security firm Malwarebytes recently discovered that these porn sites are seeding booby-trapped .svg files among select visitors. A click on these images causes browsers to register likes for specific Facebook posts surreptitiously.

Unpacking these attacks proved challenging as much of the JavaScript within the .svg files was heavily obscured using a custom version of “JSFuck.” This technique encodes JavaScript into a convoluted wall of text using a minimal set of character types, creating a formidable barrier for analysts.

Once decoded, the script initiates a download sequence of further obfuscated JavaScript. The final payload contains a known malicious script, Trojan.JS.Likejack, which coerces the browser to secretly like a predefined Facebook post, provided the user is logged into their account.

“This Trojan, also written in JavaScript, performs a silent click on the ‘Like’ button for a page, specifically targeting adult content posts we identified,” explained Malwarebytes researcher Pieter Arntz. He noted the necessity for users to be logged into their Facebook accounts for these malicious activities to succeed. Arntz acknowledged that many users keep Facebook open continuously, facilitating such attacks.

Exploiting the .svg format is not unprecedented. Similar techniques have been employed in the past, as was the case in 2023 when pro-Russian hackers used an .svg tag to exploit a cross-site scripting vulnerability in Roundcube, a widely used webmail service. More recently, a phishing attack leveraged an .svg file to mimic a Microsoft login screen with pre-filled credentials.

Malwarebytes has identified numerous pornographic websites, especially those operating on WordPress, which have adopted this malicious tactic of using .svg files to hijack Facebook likes. Despite Facebook’s efforts to shut down complicit accounts, offenders frequently re-emerge with new profiles to continue their endeavors.

Author: Dan Goodin, Senior Security Editor at Ars Technica, specializes in covering malware, computer espionage, and other cybersecurity topics. He can be followed on various platforms such as Mastodon and Bluesky.