Reporting carries responsibility. When you tell the public about a risk, you need to tell them what the risk is, not just scare them. An article from Check Point Software Technologies, titled “ImageGate,” shows how bad even tech sites can get at clickbait reporting. According to Wikipedia, Check Point is a business with thousands of employees, not a hole-in-the-wall IT company that hires ghostwriters to write filler.
The article claims:
the attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.
The article claims that the image file downloads itself, rather than some other piece of malware. This seems like a clumsy way to deliver malware. It requires two exploits in the same file, one to force the download and another to do nasty stuff once it’s opened on the victim’s computer. Have the attackers found two weaknesses in some file format?
The linked video gives little information. It shows a dialog offering to download an HTA file (not an image file) and implies that the ransomware executes just by the act of downloading it. Windows is bad about security, but I don’t think it’s that bad. The video doesn’t show the user being “forced” to download the file, as the article claims; it shows the user accepting a prompt to download a file with an HTA extension.
The article offers badly couched advice: “If you have clicked on an image and your browser starts downloading a file, do not open it. Any social media website should display the picture without downloading any file.” Download links on buttons and images are common and no more dangerous than download links on text. The video shows the user clicking on what looks like a thumbnail, and getting a download rather than just bringing up a window or image certainly is unusual and suspicious. You should be wary of any download prompt that you weren’t expecting. If it’s for an HTA file, you should cancel out. But it’s implausible that the thumbnail and the HTA were the same file.
To sound impressive, Check Point claims: “A detailed and technical disclosure of the attack vector will be published by Check Point only after the remediation of the vulnerability in the major affected websites, in order to prevent attackers from taking advantage of this information.” This is absurd. Telling people what kind of image files are affected wouldn’t give attackers any useful information, and it would help people to avoid the risk.
The “Imagegate” article is dated November 24. I wrote about the SVG risk on November 21, and I was just summarizing information that was already on the Web. Yet the article claims, “Check Point researchers strongly believe the new ImageGate technique reveals how this campaign was made possible, a question which has been unanswered until now.”
Or perhaps it’s something else. An article on The Register supposes that the exploit actually uses an HTA file “disguised” as a JPEG. Whether this is the old double-extension trick or some new weakness isn’t explained. I don’t think any browsers will accept an HTA embedded in a Web page as if it were an image. In the video, the HTA download prompt isn’t disguised at all. Update: I’m seeing articles on several websites claiming “Imagegate” is a JPEG defect, but Check Point’s article doesn’t mention JPEG at all. I don’t know whether they’re going by some additional information or just copying each other.