Scammers Using Images on Facebook Messenger to Drop Locky Ransomware


Beware of Facebook Messenger Leading to Locky Malware

Facebook Messenger has become a favorite target of cyber-criminals lately since the social network’s messenger service is continuously being targeted with malware scams and phish campaigns.

The latest scam is a proof of that.

According to researchers, a new form of attack has been launched using Facebook Messenger that quickly distributes Locky malware.

Locky belongs to a family of ransomware and one of the most preferred malicious software used by hackers.

The attack was discovered by Bart Blaze, a security researcher and was later confirmed by Peter Kurse, another security expert with extensive experience in investigating cyber-crimes.

To deliver the malware, a downloader called Nemucod is used that helps the ransomwarebypass Facebook security by pretending to be a .svg (scalable vector graphics) image file.

The downloader is delivered through Facebook Messenger.


Use of SVG extension files is becoming a trend nowadays; SVG is based on XML, which allows cyber-criminals to embed any sort of content that they want.

In the current case, it was identified that the culprits have embedded JavaScript.


When accessed, the infected image file directs the victim to a site that seems to be YouTube’s landing page.

But, the site only appears like YouTube and it isn’t the real deal as it is hosted from a different URL.

When this site is loaded, the victim is requested to install a codec so that the desired video could be played. This codec is presented in Chrome extension.

If the victim installs it, the attack is distributed to other contacts of the victim via Facebook Messenger.


At times, the Chrome extension is also used to install Nemucod downloader and it eventually leads the victim to Locky ransomware. Possibly, Nemucod was being distributed as Locky’s payload.

Blaze wrote about the attack in his latest blog post, in which he warns users to remain cautious:

“As always, be wary when someone sends you just an ‘image’ – especially when it is not how he or she would usually behave.”

Both Facebook and Google were notified about the attack. Facebook has released the following statement in response to the discovery:

“We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform.

In our investigation, we determined that these were not, in fact, installing Locky malware—rather, they were associated with Chrome extensions.

We have reported the bad browser extensions to the appropriate parties.”

Also Read: Facebook ‘Comment Tagging Malware’ Spreading via Google Chrome

Facebook and cyber criminals

Facebook is one of the most used and prominent social media in the world.

So much so, the professionals are blaming the giant for negatively influencing recent US elections. This kind of influence is what catches the eyes of cyber criminals.

If you own an account on Facebook watch out for such petty scams and spread the word.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.