Cybercrooks use photo-sharing to plant malware in online auto ad scams, FBI warns

Filed Under: Featured, Malware, Security threats

Car keys, image courtesy of ShutterstockBeware the auto seller on Craigslist who says he'll send photos on request - he could well be a crook who sends photos packed with malware, the US Federal Bureau of Investigations (FBI) has warned.

In a posting on its news blog, the FBI says it's seeing scam artists posting ads without pictures on unspecified sites.

When a potential buyer asks for images, the crooks will sometimes send what they claim to be pictures as attachments, while other times they'll send a link to an online gallery.

Either way, the FBI says, the "images" can contain malware that infects victims' computers.

The malware directs a victim to a bogus website made up to look like the site where the ad was originally seen.

After a victim agrees to purchase the item and makes the payment, the perpetrators vanish: no more emails, and no merchandise forthcoming.

Crooks are also using a variation on this photo-sharing scam. In this version, a scam artist poses as a seller who contacts those who've lost an online auction.

The bogus seller claims that the original winning bid fell through.

Car keys, image courtesy of ShutterstockThe FBI offers these tips to avoid getting preyed on when shopping online:

  • Make sure websites are secure and authenticated before you purchase an item online. Use only well-known escrow services.
  • Research to determine if a car dealership is real and how long it has been in business.
  • Be wary if the price for the item you’d like to buy is severely undervalued; if it is, the item is likely fraudulent.
  • Scan files before downloading them to your computer.
  • Keep your computer software, including the operating system, updated with the latest patches.
  • Ensure your anti-virus software and firewalls are current - they can help prevent malware infections.

Be vigilant, and don't click on phishy links, even if they do promise eye-candy photos of some gorgeous car.

If you've fallen for a scam like this, the FBI recommends filing a complaint with the Internet Crime Complaint Center at

Image of car and keys and helpful tips sign courtesy of Shutterstock.

, , ,

You might like

7 Responses to Cybercrooks use photo-sharing to plant malware in online auto ad scams, FBI warns

  1. njorl · 853 days ago

    "Scan files before downloading them to your computer" - is this feature available in many new routers, or is there a scanning proxy somewhere on the web we can use?

    • Paul Ducklin · 852 days ago

      I'd suggest that "scanning before opening them" is clearer advice, since you need to download them before you can scan them on your PC :-)

      Any decent anti-virus that has an on-access (a.k.a. real time) scanner can scan-before-use automatically - it'll watch for new files to turn up and scan them before you open them for the first time.

      By the way, if you do want an automatic way to scan files on your home network *before they are downloaded* (technically, between the remote website and your PC) you might like to know about Sophos's free UTM-for-home licence:

      You can protect up to 50 devices, and you get Sophos Anti-Virus for Windows free for up to 12 computers, too...

  2. John · 853 days ago

    insufficient information.

    Are you telling us that 'photos' (i.e. JPG, GIF, PNG, etc etc) can contain malware? or that they send malware executables that are claimed to be malware??

    The level of your information is aimed at grade-school naivete. Some of use subscribed to your newsletter can tell the difference between photos and malware files without having to test them.

    • Paul Ducklin · 852 days ago

      From time to time crooks will find exploits that allow remote code execution due to dodgy content in deliberately malformed image files. But it's rare.

      Usually, the files are claimed to be images but aren't.

      It's easy to say that people should infallibly be able to tell the difference between photos and malware...but *if you are expecting images* (indeed, have expressly asked for them!) and someone sends you a file that they say contains the images you're after but need to unzip it (etc.) to "view" them, I suggest that you are much more likely to let your guard down.

      Anyway, those of our readers who suffer from what you call "grade school naivete" don't need to feel bad about it. Naivete isn't a deplorable quality, after all - and is only dispelled by experience and learning. Which we are happy to provide.

    • dave · 852 days ago

      malicious code can be embedded in to picture files, so they still look like a picture and still contain a picture when you open them, but the malicious code will run in the background. Hard to detect without any form of virus scanner, many years ago you could detect possible malicious jpg's by the large file size, however as cameras are spitting out bigger and bigger image sizes its not so easy to tell by eye any more.

      If its an on line gallery then its more likely to be the gallery itself which serves up the malicious code rather than the image files.

      • Paul Ducklin · 852 days ago

        I'd say "malicious code may be able to be embedded," not "can be."

        Exploitable vulnerabilities in handling image files do indeed come up from time to time, but they're not an everyday thing.

    • Thomas · 851 days ago

      Hi John. I got a good laugh while reading your second paragraph, to wit: "The level of your information is aimed at grade-school naivete. Some of use subscribed to your newsletter can tell the difference between photos and malware files without having to test them."

      Naked Security should not, and does not, write exclusively for the level of expert computer understanding you and maybe 3 or 4 other subscribers possess. You should use your super duper expertise to inform the rest of us high school level dummies about such issues. Please post your blog or newsletter site, when you are up and running, somewhere on Naked Security so we all can be amazed.

      Not that you would care, but even though I knew malware could be embedded in photo zip files and even photo's themselves, I learned a few things from Paul's article. Well done, Paul, and kudos to the other respondents for their questions and comments that expanded the information without criticizing the article.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.