A hot potato: As more websites implement age verification checks, many users are migrating to smaller, less regulated sites unintentionally increasing their risk of encountering malware. Cybercriminals are exploiting this trend by hiding malicious code within SVG image files, which can execute harmful actions on your computer.
As more countries require age verification for adult websites, some smaller sites are resorting to hidden malware schemes to boost their popularity on social media platforms like Facebook. Researchers at Malwarebytes recently discovered that these schemes often use a type of image file called Scalable Vector Graphics (SVG), which can carry harmful code.
SVG files differ from standard image formats like JPG and PNG. They use XML, a form of code that not only renders images but can also include HTML and JavaScript the same languages used to create dynamic websites. This capability allows attackers to hide malware within SVG images. Since many users assume SVGs are just harmless pictures, they don't expect these files to contain security threats.
Here's how the scam works. Adult-themed blog posts often promoting fake or AI-generated celebrity content are shared on Facebook. When users click these links, they may be prompted to download an SVG image. Opening or interacting with this image triggers hidden JavaScript embedded inside the SVG file. Researchers found that the malicious code is obfuscated using a special technique, disguising its true intent by relying on just a few characters and clever coding tricks to evade detection.
Once triggered, the hidden script downloads additional malicious code from related websites. This leads to the installation of malware known as Trojan.JS.Likejack, which secretly forces the user's browser to "Like" specific Facebook posts or pages. These automatic likes help promote the adult content without the user's knowledge, but only if the victim is already logged into Facebook.
Malwarebytes discovered that many pages involved in this campaign are built on WordPress and are interconnected. By generating hundreds of fake "Likes," these posts gain more visibility within Facebook's algorithm, helping scammers promote their sites without paying for ads.
Although Facebook actively tries to shut down these fake profiles, scammers continuously create new ones. The anonymous nature of the internet makes it difficult to completely stop the cycle.
Using SVG files to spread malware is not a new tactic. Attackers have previously exploited them for phishing, scripting attacks, and other hacks. What makes this latest scheme notable is the clever way it conceals harmful code and manipulates social media platforms to boost traffic and visibility.
