Malicious SVG Files Used by Adult Sites to Manipulate Social Media Likes
Numerous adult websites have been utilizing a well-known strategy to inflate their Facebook popularity, deploying malware that enables browsers to unknowingly 'like' these pages. This scheme is being carried out through a novel medium: SVG image files.
The Scalable Vector Graphics (SVG) format, recognized for its ability to render two-dimensional graphics, differs from formats like JPG or PNG by leveraging XML-based text to define image display. This allows images to be resized without quality loss. However, this capability is a double-edged sword, as the text can embed HTML and JavaScript, increasing vulnerability to various attacks, such as cross-site scripting, HTML injection, and denial of service.
A recent report by the security firm Malwarebytes revealed that certain adult sites were dispersing tainted SVG files to unsuspecting viewers. A click on these images could covertly generate 'likes' for Facebook posts promoting the site itself.
Deciphering this cyberattack proved challenging, with the JavaScript in these SVG files heavily cloaked using a method known as 'JSFuck'. This technique camouflages JavaScript code using only a few characters, creating an obscured text block.
Upon decoding, the script causes the browser to download a succession of further obscured JavaScript sequences. The ultimate payload is identified as the malicious Trojan.JS.Likejack. This script manipulates the browser to 'like' certain Facebook posts as long as the user is logged into their account.
The researcher from Malwarebytes, Pieter Arntz, explained that this Trojan operates quietly within JavaScript, clicking 'Like' buttons on Facebook pages without the user's awareness or approval, particularly targeting adult-content posts. The prerequisite for this to work is that the user must be logged into Facebook, which is a common habit for many.
Although the SVG format's misuse for malicious purposes has precedent, this exploitation on adult sites brings renewed attention to its risks. Previously documented cases showed SVG tags being used in phishing attacks and to exploit vulnerabilities in widely used applications, prompting major concerns among security researchers.
Malwarebytes noted that a number of porn sites using WordPress were identified as culprits in these schemes, exploiting SVG files for like-hijacking purposes. Facebook diligently removes accounts engaged in such unethical practices, yet the offenders frequently re-emerge under new profiles.
