Just two days ago I received three different Facebook messages from three different people about a minute apart. Already intrigued at my newfound popularity I looked at them and found that each message was exactly the same: a link to an image file. The similarities of the messages continued in that they were sent from very mild acquaintances, ones who I’ve spoken to only a couple times, but who I’ve added as friends on social media just to be nice. Obviously, this was not some sort of practical joke as, for two of them, this was the very first Facebook message they’ve ever sent to me.
Fifteen minutes later they made a public post announcing to all of their friends to disregard any messages they may have sent and that they were not sent with their intention. They, we can conclude, fell unfortunate victim to hackers were most likely trying to replicate the Myspace Samy worm fiasco using an image file as the payload.
Have you ever wondered what the point was of your email not showing any image file from new senders and forcing you to whitelist every single new person that wanted to contact you? It wasn’t to save your face in the event of an unflattering or offensive picture. An image file, which logically shouldn’t hold any scripts on it, can still leak personal information into the wrong hands if one was to open it.
First off, it’s important to remember that the more content an email client loads, the wider the area of vulnerability, the more chance there is of a malicious party gaining access to your information. For example, in October of last year, Talos found a vulnerability in JPEG 2000 that allows a cyber criminal to run arbitrary code when a picture is opened. The full details are at this link but essentially when the OpenJpeg library, used by many popular PDF renderers, parses records in a JPEG 2000 file, it is possible to force it to make an array-out-of-bounds error. This error, if abused enough times, allows the attacker to execute arbitrary code on the machine, which can include shutting it down or opening files on the drive.
Apart from this, if the image file has to be downloaded, it has to be done from a web server. Because your machine makes a request to download the image file, the web server is able to see a number of things. The first is your email address, which not only confirms to the hacker its existence but that it is used frequently as well. The second is your IP address and your email client, giving the hacker your general geographic location as well as your internet service provider and workplace.
The last way, which is what the Facebook worm did to my colleagues, is simply a double extension. A person looking at a file named img34e66p3528(and so one for another twenty random characters).jpg.exe will not realise the .exe extension makes it an executable file, not an image. Clicking on the link no doubt showed some image, but it also allowed a script to take over one’s Facebook account and re-send the worm to a new batch of victims. For those curious, a friend who opened it on an iPhone showed me the image, and here’s what it looks like: