Home » Online Privacy » Privacy News » Facebook Spam Campaign Spreads Ransomware Via SVG Image File

Facebook Spam Campaign Spreads Ransomware Via SVG Image File

Last Updated |
Disclosure: All of our articles are unbased, well researched, and based on a true picture of the story. However we do sometimes get commissions from affiliate sites. Our readers get the best discount from buying from our links. Here is our complete affiliate disclosure.

Hackers are now leveraging Facebook Messenger’s trust to spread locky-ransomware via SVG images in a Facebook spam campaign.

The ongoing Facebook spam campaign is the culprit behind the spreading of malware downloader by taking advantage of ‘seem to be’ harmless SVG image file to infect the masses.

The Facebook spam campaign was first spotted by the researcher Peter Kruse and malware expert Bart Blaze.

On his blog post, Bart Blaze wrote, “Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (a .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter:”

facebook spam campaign

The SVG image file can embed any content (such as JavaScript) to bypass security filters.


What is SVG?, as mentioned at Wikipedia:

“Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.

SVG images and their behaviors are defined in XML text files. This means that they can be searched, indexed, scripted, and compressed.”


When a victim clicks and opens the malicious SVG file, it redirects him to a malicious website disguised as YouTube and asks to install a chrome extension to play the video.

“A website purporting to be Youtube, with a video from Facebook – of course, you’ll need to install an additional extension to view it,” wrote Bart Blaze.

The malicious chrome extension appears invisible with no icon and has the following permission: “Read and change all your data on the websites you visit.”

Once a victim installs the extension, the attack spreads further and installs a downloader Nemucod which executes the locky-ransomware.

The security researcher, Peter Kruse noticed the similar behavior and got locky-ransomware as a consequence

To remove the malicious extension immediately from your browser, follow these steps:

  1. Open the browser, and click on menu (three-lined option).
  2. Navigate to More Tools > Extensions.
  3. Click the extension you want to remove and click on the ‘trash bin‘ to remove it from chrome.
  4. A notification will appear to confirm the removal of the extension. Click on Remove.

After removing the malicious extension, run a system scan and change your Facebook’s password.

Moreover, notify your friends about this campaign, and ask them if they received a spam message from your end. If you receive the same message from one of your compromised friend’s profile, temporarily block their messages.

Leave a Comment