The authors turned to polyglot images to add the JavaScript code that redirects to a page offering a fake reward. The malicious code is hidden in a BMP type of picture and it is heavily obfuscated.

The malicious code is hidden within a CDATA section of the SVG file and relies on a static XOR key to decrypt a payload at ...

Researchers have discovered a relatively new way to distribute malware that relies on reading malicious obfuscated JavaScript code stored in a PNG file’s metadata to trigger iFrame injections.

The image, which is displayed to the right of this text, looked unremarkable. Using some clever HTML5 programming under the hood, however, it delivered malicious code to unsuspecting Mac users.