Hackers are increasingly exploiting the rise of age verification requirements by embedding malware within Scalable Vector Graphics (SVG) image files, subsequently distributing them through deceptive Facebook posts, capitalizing on users migrating to less regulated websites.
As more countries impose age verification on adult websites, smaller sites are resorting to hidden malware schemes to inflate their social media presence, particularly on platforms like Facebook. Researchers at Malwarebytes recently uncovered that these schemes frequently leverage SVG files, a format that, unlike standard JPG or PNG images, is XML-based and capable of embedding HTML and JavaScript. This inherent capability allows attackers to conceal malicious code within seemingly innocuous image files.
The scam operates by sharing adult-themed blog posts, often featuring fake or AI-generated celebrity content, on Facebook. When users click on these links, they are prompted to download an SVG image. Interacting with or opening this SVG file triggers hidden JavaScript embedded within it. Malwarebytes researchers noted that the malicious code is highly obfuscated, using minimalist character sets and clever coding to evade detection.
Upon execution, the hidden script downloads additional malicious code from associated websites, leading to the installation of malware identified as Trojan.JS.Likejack. This Trojan covertly forces the victim’s browser to “Like” specific Facebook posts or pages, provided the user is already logged into their Facebook account. These automated “Likes” surreptitiously promote adult content and boost visibility within Facebook’s algorithm, allowing scammers to gain exposure without incurring advertising costs.
Malwarebytes discovered that a significant portion of the pages involved in this campaign are built on WordPress and are interconnected. Furthermore, numerous Blogspot[.]com pages were identified as part of the same scheme. While the use of SVG files for malware distribution is not a novel tactic—having been previously employed for phishing and scripting attacks—this particular campaign stands out for its sophisticated concealment of harmful code and its clever manipulation of social media platforms to drive traffic and enhance visibility. Despite Facebook’s ongoing efforts to dismantle fake profiles, scammers perpetually create new ones, perpetuating a difficult cycle to fully disrupt due to the anonymous nature of the internet.
