The obfuscated code inside an .svg file downloaded from one of many porn websites.
Credit score:
Malwarebytes
As soon as decoded, the script causes the browser to obtain a series of extra obfuscated JavaScript. The ultimate payload, a identified malicious script known as Trojan.JS.Likejack, induces the browser to love a specified Fb publish so long as a consumer has their account open.
“This Trojan, additionally written in Javascript, silently clicks a ‘Like’ button for a Fb web page with out the consumer’s data or consent, on this case the grownup posts we discovered above,” Malwarebytes researcher Pieter Arntz wrote. “The consumer should be logged in on Fb for this to work, however we all know many individuals maintain Fb open for straightforward entry.”
Malicious makes use of of the .svg format have been documented earlier than. In 2023, pro-Russian hackers used an .svg tag to take advantage of a cross-site scripting bug in Roundcube, a server utility that was utilized by greater than 1,000 webmail providers and tens of millions of their finish customers. In June, researchers documented a phishing assault that used an .svg file to open a pretend Microsoft login display with the goal’s e-mail handle already crammed in.
Arntz mentioned that Malwarebytes has recognized dozens of porn websites, all operating on the WordPress content material administration system, which can be abusing the .svg information like this for hijacking likes. Fb commonly shuts down accounts that have interaction in these kinds of abuse. The scofflaws commonly return utilizing new profiles.
