Adult Sites Using SVG Files to Spread Malicious Code

Dozens of adult websites are adopting a familiar yet concerning practice to generate likes on social media platforms like Facebook. By embedding malicious code within .svg files, these sites trick users into endorsing their content unknowingly.

The Scalable Vector Graphics (SVG) format, an open standard for two-dimensional vector graphics, uses XML-based text for defining how images render. Unlike other common image formats, SVG allows for resizing without quality loss but can also embed HTML and JavaScript, raising the risk of exploitation.

The Silent Clicker Conundrum

Malwarebytes, a prominent security firm, recently uncovered cases where pornographic websites used SVG files laced with concealed JavaScript. These scripts were heavily obscured using a method known as 'JSFuck,' producing a complex string of text to hide their intentions.

Once the encoded script is activated, it triggers the download of more hidden JavaScript. The final payload, identified as Trojan.JS.Likejack, makes unauthorized "likes" on Facebook posts, effectively spreading the malicious content as long as the user is logged into their Facebook account.

Instances of SVG files being exploited for malicious purposes have surfaced before. In 2023, for example, hackers exploited SVG files to perform cross-site scripting attacks on webmail services affecting millions of users. Similar tactics were also used in phishing schemes involving fake login pages.

Malwarebytes reported that numerous adult sites, primarily using WordPress, exploit this method to amass social media credibility illicitly. Although Facebook attempts to curb such activity by disabling compromised accounts, perpetrators often return with new identities.