Adult websites are concealing scripts in .svg files:

Dissecting the attack required effort because much of the JavaScript in the .svg graphics was significantly obfuscated utilizing a tailored variation of “JSFuck,” a method that employs only a limited range of character types to transform JavaScript into a disguised block of text.

After decoding, the script prompts the browser to retrieve a series of additional obscured JavaScript. The ultimate payload, a recognized harmful script named Trojan.JS.Likejack, compels the browser to like a designated Facebook post provided the user has their account logged in.

“This Trojan, also developed in JavaScript, discreetly clicks a ‘Like’ button for a Facebook page without the user’s awareness or agreement, particularly with the adult posts we discovered previously,” Malwarebytes analyst Pieter Arntz noted. “The user must be logged into Facebook for this to function, but it is evident that many individuals keep Facebook active for quick access.”

This isn’t an innovative tactic. We have encountered Trojanized .svg files previously.