back to article Poison .JPG spreading ransomware through Facebook Messenger

Checkpoint has found an image obfuscation trick it thinks may be behind a recent massive phishing campaign on Facebook that's distributing the dangerous Locky ransomware. The security firm has not released technical details as the flaw it relies on still impacts Facebook and LinkedIn, among other unnamed web properties. The …

  1. Christian Berger

    Facebook spreading ransomware...

    ...a company that owns its money by taking social relations for hostage spreads software made by people who take files for hostage.

    1. Halfmad

      Re: Facebook spreading ransomware...

      Garbage, nobody has to use Facebook, I don't.

      1. Pascal Monett Silver badge

        Re: Garbage, nobody has to use Facebook, I don't.

        You probably don't smoke crack either, I gather. Unfortunately, that does not prevent crack addicts from existing.

        1. Anonymous Coward
          Anonymous Coward

          Re: Garbage, nobody has to use Facebook, I don't.

          Like Facebook users they brought their suffering on themselves.Or wasn't that the point you were attempting to make?

  2. Anonymous Coward
    Anonymous Coward

    I question this statement

    While the attack is not automated and, it does break Facebook's hypervigilant security model and is fairly regarded by Checkpoint as a Facebook "misconfiguration".

    Let's not repeat their marketing statements, shall we? FB's security is at best vigilant, and only then when it directly affects their income.

    Meanwhile, allow me to express surprise at the fact that it's the 21st century, yet we still have a problem with poisoned JPGs..

    1. Anonymous Coward
      Anonymous Coward

      Re: I question this statement

      It's not a poisoned JPG, it's a .hta file that the user is blagged into downloading.

      1. Dan 55 Silver badge

        Re: I question this statement

        Given the few details that are given it could be either.

      2. kend1

        Turn it off

        For friends/parents who rely on you for "computer stuff".

        Control Panel -- Default programs -- Set Associations. Scroll down and click on ".hta HTA File". Click the button "Change program". Change "current default" from MS browser to Notepad.

        1. Anonymous Coward
          Anonymous Coward

          Re: Turn it off

          Good idea, though getting Silver Surfers to switch to iPads eliminates most 'support calls'.

          1. Kiwi
            Joke

            Re: Turn it off

            Good idea, though getting Silver Surfers to switch to iPads eliminates most 'support calls'.

            To you anyway.. Calls to the local hitmen, however, are likely to increase after you dump one of those things on them!

      3. Anonymous Coward
        Anonymous Coward

        Re: I question this statement

        Indeed, here's what the poison.jpg itself might look like.

        It's perfectly safe to click unless you're allergic to hairspray....

      4. JLV

        Re: I question this statement

        I do wonder what an HTA file could possibly be useful for, malware aside, in 2016. Is this another hidden extension trick? This from a company where I can't open my own Excels wo it warning me that the trivial macros I wrote myself are a risk? Txs, MS.

    2. werdsmith Silver badge

      Re: I question this statement

      Facebook is an ideal target due to the fact that its typical user is vacuous, gullible and as thick as shit.

    3. Destroy All Monsters Silver badge

      Re: I question this statement

      "Hypervigilance" is actually a psychological condition linked to PTSD and demands a period of psych healing.

      Probably NOT what we are talking about here, which is likely to just be "only one donut in the morning"

    4. Kiwi
      Joke

      Re: I question this statement

      Meanwhile, allow me to express surprise at the fact that it's the 21st century, yet we still have a problem with poisoned JPGs..

      Even more surprising.. It's almost 2017 and people still run Windows!

      1. Carl D

        Re: I question this statement

        "Even more surprising.. It's almost 2017 and people still run Windows!"

        Oh, it's perfectly safe to run Windows (7 in my case) at any time.

        As long as it isn't allowed to go online. Ever. That's what I have Linux Mint for.

        As for Facebook - I've had 3 accounts over the past 5 years (the last one was nearly 2 years ago) and the longest that any of them lasted was about a month.

        1. Kiwi
          Linux

          Re: I question this statement

          Oh, it's perfectly safe to run Windows (7 in my case) at any time.

          Ah Win 7.. Best of a generally bad bunch.. (Though I do use 7 from time to time myself when I .. er... Actually, I'm running out of reasons to run it.. I install it from time to time to remind me what a horrible ordeal that is - hours to install (linux 10-20 mins), days to get up to day (Linux, depends on your download speed and how old your install media is but generally 10-20 mins. maybe an hour for slow net and ancient ISO).

          As long as it isn't allowed to go online. Ever. That's what I have Linux Mint for.

          Well, that would kill my updating woes at least. And need for AV. Maybe..

          As for Facebook - I've had 3 accounts over the past 5 years (the last one was nearly 2 years ago) and the longest that any of them lasted was about a month.

          Heh, I can do you several better there. I've had a number of accounts, no one in my name (why would I want that pain?). At least half a dozen (since I use throwaway emails and forgettable passwords etc). Each and every account has been logged in to once, to find a specific person. Then forgotten about.

  3. Destroy All Monsters Silver badge
    Windows

    Hear, Hear!

    "Checkpoint's chaps says the attack is useful because Facebook is a trusted asset."

    Nasty commentard-baiting there, El Reg.

    We are starting to wise up to your tricks!!

    1. Fruit and Nutcase Silver badge
      Pint

      Re: Hear, Hear!

      @Destroy All Monsters

      F##k [Like], have a beer

  4. Anonymous Coward
    Anonymous Coward

    Only options?

    "that leaves backup restoration or ransom payment as the only options available to them"

    Or data abandonment. Treat it like you never had that data in the first place. Obviously not all data is suitable for such treatment, but 2 of the cases I've had to clean up after have chosen that route.

  5. Michael Habel

    Dies this affect Mobiles? (By which I mean Android).

    1. John 78

      Not Android or ios, hta files are windows only.

    2. Michael Habel

      *Does life sucks when you have English, and German languages installed, and you weren't paying attention to which ones in use.

      1. Anonymous Coward
        Anonymous Coward

        "Does life sucks when you have English, and German languages installed, and you weren't paying attention to which ones in use."

        I agree, it's a pain in the asselspinnen.

  6. Anonymous Coward
    Facepalm

    Poison .JPG spreading ransomware through Microsoft Windows

    Is there a contest at elReg as to how to talk about malware without mentioning Microsoft windows? ref

    1. sabroni Silver badge
      Facepalm

      Re: Poison .JPG spreading ransomware through Microsoft Windows

      its not a jpeg.

      1. find users who cut cat tail

        Re: Poison .JPG spreading ransomware through Microsoft Windows

        > its not a jpeg.

        And?

        See the article title...

        1. Anonymous Coward
          Anonymous Coward

          Re: Poison .JPG spreading ransomware through Microsoft Windows

          And here I was thinking "It's not a JPG, it's a poisoned TIFF with a .JPG extension". Nope, nothing so sophisticated.

          Oh, libtiff 4.0.7 has been released, FINALLY closing those particular TIFF exploits. Linux updates are in the pipeline. Loads more ImageMagick security patches as well.

  7. bombastic bob Silver badge
    Facepalm

    why couldn't Face-*BLANK* just scan file types and filter?

    I have to wonder, with all of the malicious uploading going on...

    why couldn't Face-*BLANK* just scan the file types and filter things that don't match?

    In other words, if it's not a JPEG that 'follows the rules' (no buffer overrun sploits embedded, no ZIP file or embedded HTA or anything else it's not supposed to have), then just REJECT it and say "your file needs to be reformatted" or something.

    How hard would THAT be? OK sorry for being intelligent about it, we're talking Face-*BLANK* ...

    not hard to do in the POSIX world - just use the 'file' command.

    1. Kiwi
      Facepalm

      Re: why couldn't Face-*BLANK* just scan file types and filter?

      How hard would THAT be? OK sorry for being intelligent about it, we're talking Face-*BLANK* ...

      not hard to do in the POSIX world - just use the 'file' command.

      Not hard at all. With very few exceptions (eg plain text), file formats have specific start or end byte sequences to identify them. I remember writing code to check for this stuff under the Maximus BBS's (well, I think it was actually a seperate .exe or .com) that was called after an upload from a user, checked if the file start/end sequence fitted the range for the specific extension, and rejected/flagged the file if it was outside accepted parameters.

      Probably the whole exe was in under 20kb size, and a config file of about the same with file extensions and start/end sequences. Took microseconds to run on a 386.

  8. Fruit and Nutcase Silver badge
    Thumb Down

    Trusted asset

    Checkpoint's chaps says the attack is useful because Facebook is a trusted asset.

    Trust Facebook/Zuckerberg?

    [UnLike]

  9. DougW
    Thumb Up

    Failbork users. No real loss.

  10. Darth.0

    FB, Windows or dumb users?

    As evil as both FB and Windows are, this is just another example of "you just can't cure stupid". Who the f*ck clicks on a link and downloads things to their PCs from FB or LinkedIn? I don't care who the message is from, whenever I see something come in with any one of the various catch lines like "Hey, check this out!" or "I want to f*ck your brains out", I immediately delete it. How many times have people been told not to open suspicious emails or to download attachments and they still do it and wreak havoc on their networks?

    </soapbox>

  11. EJ

    "Checkpoint"...

    Any relationship to Check Point, the firewall security company?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like