The obfuscated code inside an .svg file downloaded from one of many porn websites.
Credit score:
Malwarebytes
As soon as decoded, the script causes the browser to obtain a series of extra obfuscated JavaScript. The ultimate payload, a recognized malicious script known as Trojan.JS.Likejack, induces the browser to love a specified Fb put up so long as a person has their account open.
“This Trojan, additionally written in Javascript, silently clicks a ‘Like’ button for a Fb web page with out the person’s information or consent, on this case the grownup posts we discovered above,” Malwarebytes researcher Pieter Arntz wrote. “The person should be logged in on Fb for this to work, however we all know many individuals maintain Fb open for simple entry.”
Malicious makes use of of the .svg format have been documented earlier than. In 2023, pro-Russian hackers used an .svg tag to take advantage of a cross-site scripting bug in Roundcube, a server software that was utilized by greater than 1,000 webmail providers and tens of millions of their finish customers. In June, researchers documented a phishing assault that used an .svg file to open a pretend Microsoft login display screen with the goal’s e mail tackle already crammed in.
Arntz stated that Malwarebytes has recognized dozens of porn websites, all operating on the WordPress content material administration system, which are abusing the .svg information like this for hijacking likes. Fb frequently shuts down accounts that interact in these kinds of abuse. The scofflaws frequently return utilizing new profiles.
