Facebook Messages May Harbour Scams, Ransomware

John Lister's picture

Facebook users have been warned to watch out for bogus links in messages that appear to be from friends. While Facebook appears to be on top of the problem for now, it's an approach that could lead to personal data being siphoned off, or computers locked.

The problem was highlighted by security researcher Bart Parys who became aware of the problem this weekend after a tip-off from a friend. It involves Facebook messages which appear to consist only of an image but are actually a type of file called SVG (scalable vector graphics).

'YouTube' Video Next Step In Scam

Normally such files are used for interactive and animated graphics online the web, but in this case it's actually a way of hiding code that opens up a bogus version of YouTube in the user's browser. The fake site looks as if it is trying to play a video, and then asks the user to install a browser extension in order to continue.

Exactly what the browser extension does may vary from case to case. In one case, a Chrome user was prompted to install the "One" extension in Google Chrome, with the warning that it could "read and change all your data on the websites you visit." This means the extension could potentially collect passwords and other data. Other reports say victims have had ransomware known as "Locky" appear on their computer and demand payment to unlock files. (Source: blogspot.co.uk)

The code also appears to cause the Facebook account to pass on the message with the bogus link to all of the user's Facebook friends.

Facebook Takes Action

Facebook responded to the news by changing its settings to automatically filter out messages which contain SVG files. It's also told browser manufacturers about the bogus extensions. (Source: telegraph.co.uk)

The methods of attack are much the same as malware distributors have used for many years, but taking advantage of Facebook could be much more effective than the typical email approach. That's because Facebook users may be more likely to open unsolicited files that appear to come from friends in a web browser, compared to an email attachment (for example).

It's also very possible the average Facebook user has more personal contacts on the site than in their email address books, meaning more people might trust the source, thus in turn spreading the threat more quickly.

What's Your Opinion?

Does Facebook do enough to warn users about unsolicited messages? What steps do you take to protect against such attacks? Do you double-check with contacts before opening files or clicking on links that they appear to have sent you?

Rate this article: 
Average: 5 (3 votes)


Dennis Faas's picture

It's good to see Facebook able to mitigate the threat quickly - kudos to them. However threats like this will continue to exist from now until the end of time, so don't expect it to be the last one. Instead you can expect more twists on the same thing - similar to how the Microsoft Indian Tech Support scammers operate.

doulosg's picture

Does Facebook do enough to warn users? The article says, "Facebook users have been warned to watch out for bogus links..." Have we? When? I have never received a communication from Facebook about this subject, at least not specifically and recently enough to associate it with this situation. So, No. Facebook does not do enough. From my perspective, it does nothing (relative to warning users). ;)

Dennis Faas's picture

Most likely the warnings are coming through media outlets, in which case the message is simply perpetuated throughout the web (similar to what this article is doing). There doesn't seem to be an official Facebook "warning" page of scams alerting users, or warnings that I see posted on their site (on my wall, for example), or emails I've received from Facebook detailing any scams - so you're definitely right about that. In the latter case, such emails would likely be spoofed, hence the reason why you'll never seen an official 'warning'.

matt_2058's picture

I don't see how they can't inform users directly and immediately even though I don't use facebook. Sure, email warnings will get spoofed like everything else. But what better way to contact users than directly on the home page, login page, or similar initial contact? Everyone would be notified immediately upon using the site. Even if many are always-logged-in users (like apps), it's still doable. If my bank/isp/??? had an issue, I'd rather them inform me immediately upon using the service than to expect other media outlets get the warning to me whenever.

I've run across a few sites that wanted to install an extension in chrome to accomplish something, but I always close the tab and find another site to get what I'm looking for. I'm usually looking for special unit converters or math stuff. As for extensions...only from https://chrome.google.com/webstore and with what seems like legitimate developers/references.

Dennis Faas's picture

I'm sure they have a policy on this, but let's think about this for a minute. If you are the owner of Facebook (or a Facebook shareholder) would you want to inform your users on a daily or hourly basis of certain Facebook attacks that are trying to infect users / steal user data on the site - or would you want to simply inform the press and let them redistribute the news? The former will surely scare people away from using the site resulting in abandonment and further uproar, whereas the latter seems more of a polished turd approach. I'm not trying to defend Facebook and their policies, but saving face (yes pun intended!) is most likely what this is about.