What is an .SVG file?
Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.
How does the malware spread:
By clicking on the image sent, it redirects the user into a website posing as YouTube. After redirecting to that particular website the page will then ask the user to download a certain codec extension in Google Chrome in order to view the video, and this is where malware is injected.
Installing the purported extension will give it the capability to alter user’s data regarding websites they visit. This was discovered by Bart Blaze, a security researcher where he explains that the extension will also spread the malware further on Facebook, compromising the victim’s account.
It is not clear on how the SVG files bypassed Facebook’s file extension filter, which only accepts a set number of extensions. However Facebook’s security team has been reportedly notified about this and now the malicious Chrome extension has also been removed.