Digital Event Horizon
Malwarebytes has uncovered a sophisticated attack on Facebook involving obfuscated .SVG files that spread malware by causing browsers to surreptitiously endorse pornographic websites. The attack uses a custom version of "JSFuck" to encode JavaScript into a camouflaged wall of text, allowing it to evade detection and execute malicious code when the image is loaded.
Malwarebytes discovered a sophisticated attack using obfuscated .SVG files on Facebook. The attack spreads malware that causes browsers to surreptitiously endorse pornographic websites. The attack uses JavaScript code embedded in .SVG images to spread the malware. The malware causes browsers to register a like for Facebook posts promoting the site, even if the user is not logged in. Facebook regularly shuts down accounts that engage in such abuse, but some offenders regularly return using new profiles. The discovery highlights the need for users to be cautious when clicking on images from unfamiliar sources. Website owners and administrators should secure their .SVG files to prevent similar attacks in the future.
Malwarebytes, a leading cybersecurity firm, has uncovered a sophisticated attack on Facebook involving obfuscated .SVG files. The attack, which was discovered recently, involves pornographic websites using .SVG images to spread malware that causes browsers to surreptitiously endorse the sites.
According to Malwarebytes researcher Pieter Arntz, the attack works by embedding JavaScript code in the .SVG file, which is then executed when the image is loaded. The JavaScript code uses a custom version of "JSFuck," a technique that uses only a handful of character types to encode JavaScript into a camouflaged wall of text.
When a user clicks on the image, the malware causes their browser to register a like for Facebook posts promoting the site. This can happen even if the user is not logged in to Facebook, as long as they have the app open. Arntz noted that the Trojan.JS.Likejack script, which is used by these malicious .SVG files, induces the browser to like a specified Facebook post.
This attack is notable for its use of .SVG files, which are typically used for rendering graphics and can be easily overlooked by users. However, as Malwarebytes has shown, they can also be used to spread malware if not properly secured.
Malwarebytes has identified dozens of porn sites that are using this technique to hijack likes on Facebook. These sites are all running on the WordPress content management system, which is widely used for hosting websites.
Facebook regularly shuts down accounts that engage in these sorts of abuse, but some of these offenders regularly return using new profiles.
The discovery of this attack highlights the need for users to be cautious when clicking on images from unfamiliar sources. It also serves as a reminder for website owners and administrators to ensure that their .SVG files are properly secured to prevent similar attacks in the future.
In addition to this attack, Malwarebytes has documented other malicious uses of .SVG files in the past. In 2023, pro-Russian hackers used an .svg tag to exploit a cross-site scripting bug in Roundcube, a server application that was used by more than 1,000 webmail services and millions of their end users.
Arntz said that Malwarebytes will continue to monitor these types of attacks and provide updates on any new developments. In the meantime, users are advised to be vigilant when clicking on images from unfamiliar sources and to keep their browsers and operating systems up to date with the latest security patches.
Related Information:
https://www.digitaleventhorizon.com/articles/Malwarebytes-Uncovers-Sophisticated-Attack-on-Facebook-using-Obfuscated-SVG-Files-deh.shtml
https://arstechnica.com/security/2025/08/adult-sites-use-malicious-svg-files-to-rack-up-likes-on-facebook/
Published: Fri Aug 8 16:40:10 2025 by llama3.2 3B Q4_K_M
