A new study shows cybercriminals have been hijacking the Instagram accounts of high-profile users, then extorting them in return for restored access.
Surprising? Not particularly. Instagram hacking is an increasingly common occurrence, and criminals have gotten better and better at finding new, creative ways to compromise accounts. Influencers are common targets, as they can often be ensnared with fake, malicious branding offers and are then willing to pay large sums—either to the criminal or to a “white hat” hacker—to restore access to their accounts.
This new ‘gram-hacking campaign, spotted by researchers with cybersecurity firm SecureWorks, is notable for how it deceptively seems to emanate from Instagram itself. The scheme, which targets mostly corporate Instagram accounts and influencers with large follower counts, uses some good ol’ fashioned phishing to ensnare unsuspecting targets.
The scam typically starts with the hackers sending a notice to a user that is styled to look like it came from Instagram: The notice tells the user that a photo in their account has led to copyright infringement and that their account is at risk of termination.
A screenshot shared in the new report shows that the messages look something like this:
We recently received a report of a photo posted on your Instagram. An image of your album is reported to contain copyright content.
If no objection is made about the copyrighted work, we will need to remove your account. Please fill in the appeal form.
If the user is foolish enough to click on the phony appeal link, they will be redirected to a malicious phishing page, which is styled to look like an Instagram login page. If the user takes the bait and types in their credentials, the criminals can use it to hijack the account.
After they have gained access, the hackers will change the user’s password and username and inscribe “this Instagram account is held to be sold back to its owner” on the user’s bio. Next to the inscription, the hackers will typically enter a WhatsApp domain and a contact number that, if called or texted, connects the user to the criminals so that a ransom can be negotiated. The hackers have also been known to contact victims directly using the phone number listed in their own account details.
In short: Pretty brutal. Nobody wants to get an unsolicited text message, but especially not from the person who just stole your social media account. The hackers, which appear to be based in Turkey and have been known to go by the moniker “pharabenfarway,” have been doing this since at least last August—when a post to an underground forum revealed the criminals selling access to hijacked Instagram accounts for up to $40,000.
To keep people away from this sort of thing, researchers have helpfully provided a list of the indicators of compromise (IOCs) associated with the attacks. You can check it out by reading their full write-up here.