SVG Images are a New Ransomware Threat
Creative cyber criminals are taking advantage of Facebook's compatibility with SVG images to infect victims with ransomware. SVG (Scalable Vector Graphics) files are dangerous on social media sites, in email, and even instant messaging tools, as this format is designed with the ability to contain embedded content code, such as JavaScript, which can be opened via web browser. A recent incident where spammers leveraged Facebook to conduct a campaign to infect unsuspecting victims with the Locky ransomware. This malware is unforgiving and is designed to encrypt user’s files and hold them for extortion.
SVG images are also use on websites, which will make them a target for hackers. If they can hack a website and replace the current SVG with one containing malware, then visitors to that site may become infected. By the time the company realizes their webpage has been infecting its customers, it may turn into a catastrophic business debacle. Many organizations implement strong precautions and security to protect their internal networks from external threats, but not as many are vigilant in watching code on their webpage for minor graphical changes.
Technology is great and can be used to do wonderful things. SVG offer many advantages as graphics go, but they can be abused. Without sufficient controls to protect potential victims, I recommend blocking SVG's on social media sites. Although extreme, it may be prudent to also abandon the user of SVG’s on websites until security software can catch-up with features to test such embedded code for malicious actions with a high degree of confidence.
Interested in more? Follow me on Twitter (@Matt_Rosenquist), Steemit, and LinkedIn to hear insights and what is going on in cybersecurity.
Hmm... on websites SVG is becoming the norm for a lot of big players. It's the webs perfect file format for icons and logos. Big clear scalable images with small file sizes.
If a hacker could add a malicious SVG to a website, they'd have to have access, therefore they could add a malicious JavaScript file, which would be easier than messing with an SVG.
The Facebook hack mentioned is another story, but for regular websites, I wouldn't be too worried.
Agreed with how we currently see the problem. But attackers are crafty and will find new ways to exploit such capabilities, I have no doubt. The risk is low for the moment on websites and higher on social media. That will likely flip-flop as social sites block the SVG usage. Websites, and aggregation sites that pull those images, will be a greater threat long-term, but the attacker must gain privileged access to the site in order to seed the attack. Doing so, this may be one way to remain persistent longer as compared to just adding a JavaScript file to the main page. Stealth may be the lure. I honestly do know for sure. It will unfold over time.
It's serious, w3 will need to work in additional security measures. Imo, they should add a namespace tag and incentivize typescript adoption.
I hope they develop additional measures soon, but expect the big endpoint security companies who use sandboxes, to adapt first. If they can inspect and run the embedded code in a safe location first, to determine maliciousness, that will go a long way for their customers. Longer term, the standard needs to be changed and companies must do better in monitoring their websites for ANY unauthorized alterations.
I agree and i think security and privacy will become top features in near future. I read your post about cortana also.
You are a good writer! Steem on!
Thanks! I am just a cybersec geek that likes to talk about my industry. The more everyone understands the challenges and chooses to act with security in mind, the more secure we all become in our digital lives. :)
This post has been ranked within the top 80 most undervalued posts in the first half of Nov 28. We estimate that this post is undervalued by $3.73 as compared to a scenario in which every voter had an equal say.
See the full rankings and details in The Daily Tribune: Nov 28 - Part I. You can also read about some of our methodology, data analysis and technical details in our initial post.
If you are the author and would prefer not to receive these comments, simply reply "Stop" to this comment.
Upvoted resteemed and followed!!!
this is how we do it we all win!
Thanks much!
Thank you for the tip. Glad i follow you! Now I have that to worry about when trying to get some sleep at night. :)
Sorry about the sleep thing. I feel your pain. My colleagues and I don't get much sleep with everything that goes on in the cyberworld nowadays.
really so much to learn so much to see and do I wish there is a faster internet and computers!
and also better embed tools like TTS here on steem!
SVGs can be self contained, graphic applications (which is great, I once wrote a full graphic ontology viewer using SVG and Javascript, very compact way of doing it), but for now I wouldn't accept people's uploading them. I noticed that when you upload an SVG to Steemit, the mime type gets changed by the proxy to image/png, rendering it "mostly harmless", but not showing anything either.