Facebook Spam Campaign Spreads Ransomware Via SVG Image File

facebook spam campaign

Hackers are now leveraging Facebook Messenger’s trust to spread locky-ransomware via SVG images in a Facebook spam campaign.

The ongoing Facebook spam campaign is the culprit behind the spreading of malware downloader by taking advantage of ‘seem to be’ harmless SVG image file to infect the masses.

The Facebook spam campaign was first spotted by the researcher Peter Kruse and malware expert Bart Blaze.


bluehost® helps big brands scale WordPress.

BlueHost: Get Professional Website Hosting For 3.95/Month

Try BlueHost Now

On his blog post, Bart Blaze wrote, “Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (a .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter:”

facebook spam campaign

The SVG image file can embed any content (such as JavaScript) to bypass security filters.


What is SVG?, as mentioned at Wikipedia:

“Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.

SVG images and their behaviors are defined in XML text files. This means that they can be searched, indexed, scripted, and compressed.”


When a victim clicks and opens the malicious SVG file, it redirects him to a malicious website disguised as YouTube and asks to install a chrome extension to play the video.

“A website purporting to be Youtube, with a video from Facebook – of course, you’ll need to install an additional extension to view it,” wrote Bart Blaze.

The malicious chrome extension appears invisible with no icon and has the following permission: “Read and change all your data on the websites you visit.”

Once a victim installs the extension, the attack spreads further and installs a downloader Nemucod which executes the locky-ransomware.

The security researcher, Peter Kruse noticed the similar behavior and got locky-ransomware as a consequence

To remove the malicious extension immediately from your browser, follow these steps:

  1. Open the browser, and click on menu (three-lined option).
  2. Navigate to More Tools > Extensions.
  3. Click the extension you want to remove and click on the ‘trash bin‘ to remove it from chrome.
  4. A notification will appear to confirm the removal of the extension. Click on Remove.

After removing the malicious extension, run a system scan and change your Facebook’s password.

Moreover, notify your friends about this campaign, and ask them if they received a spam message from your end. If you receive the same message from one of your compromised friend’s profile, temporarily block their messages.


bluehost® helps big brands scale WordPress.

BlueHost: Get Professional Website Hosting For 3.95/Month

Try BlueHost Now
Previous articleUK Slams Its Citizens With An Extreme Surveillance Law
Next articleHackers Crashed San Francisco Municipal Railway Systems
Peter Buttler an Infosec Journalist and Tech Reporter, Member of IDG Network. In 2011, he completed Masters in Cybersecurity and technology. He worked for leading security and tech giants as Staff Writer. Currently, he contributes to a number of online publications, including The Next Web, CSO Online, Infosecurity Mag, SC Magazine, Tripwire, GlobalSign CSO Australia, etc. His favorite areas Online Privacy, AI, IoT, VR, Blockchain, Big Data, ML, Fintech, etc. You can follow him on twitter.


Please enter your comment!
Please enter your name here