Security researchers at Secureworks Counter Threat Unit (CTU) discovered an Instagram phishing campaign targeting corporate and influencer accounts with a large number of followers. The hackers gain control of the targeted account through phishing and force the victim to pay a ransom to repossess the hacked Instagram account.
The attackers accuse the Instagram account owner of copyright infringement and threaten to delete the account unless the target fills an appeal form. They provide a link leading to a customized phishing landing page resembling the target’s account.
The page contains an appeal button leading to a fake login page that demands the victim’s Instagram login credentials. Once the victim provides the username and password, the hackers gain access to the account.
Attackers modify the hacked Instagram account and publicly demand a ransom
After gaining control of the Instagram account, they modify the account’s username and change the hacked Instagram account’s password. The modified username is a variation of “pharabenfarway” followed by the number of followers.
The attackers then post a message on the user’s bio stating that the hacked Instagram account is held to be sold back to its owner.
Additionally, they include a shortened link to a WhatsApp URL and a contact number. Clicking on the WhatsApp link opens a chat with the attackers. They also contact the victim using the phone number listed on the hacked Instagram account and begin negotiating a ransom.
The researchers identified the threat actors behind the Instagram phishing campaign through a pbfy[.]business website as Pharaben and Farway. The suspected Turkish and Russian citizens describe themselves as “advanced experts in social media and hacking.”
Pharaben uses a contact number with a Russian country code, while Farway’s phone number has a Turkish code suggesting they are citizens of these countries.
Additionally, one of the phishing pages references a Turkish file-sharing service hizliresim[.]com, and one threat actor has communicated through a Turkish Instagram account.
In August 2021, a threat actor identified by the same moniker had posted on an underground forum selling hacked Instagram accounts for $40,000.
Significant damage to corporate social media accounts
The researchers warned that while social media hacking seems insignificant, threat actors could access email accounts or other corporate resources via hijacked Instagram accounts. Additionally, the hackers could misuse a hacked Instagram account to damage an organization’s brand and reputation to gain more leverage and force ransom payment.
“The popularity of social media has made it a primary communications platform for many organizations,” says Chris Clements, VP of Solutions Architecture at Cerberus Sentinel. “Having that hijacked by cybercriminals is at best embarrassing and at worst can cause significant reputational harm.
“An account taken over that makes embarrassing posts can be funny, but there is also a danger of real harm if the attackers’ posts are more malicious. Scams such as the incident with Twitter’s internal tools being used to hijack several popular users in 2021 to steal cryptocurrency can defraud consumers who trust the brand.”
Clements adds that cybercriminals could post malware links on corporate social media accounts, causing data loss and privacy infringement. Similarly, the compromise of social media accounts used for coordinating various activities could cause chaos.
“For example, a college or school account that gets hijacked may be able to cause problems by posting that classes have been canceled when they, in fact, have not.”
Similarly, many influencers depend on their Instagram accounts for income and are likely to pay to avoid losing their source of livelihood.
“Given the value of influencer social media accounts, and the time, effort and cost it would take to create a new account and reclaim followers and a verified or trusted status, the victims are likely to pay to recover the account,” says Erich Kron, Security Awareness Advocate at KnowBe4.
The researchers listed the indicators of compromise including phishing domain IP addresses and threat actors’ usernames to help Instagram account owners defend themselves against phishing.
Surprisingly, the phishing campaign reportedly continued despite the hackers posting the same message on all hacked Instagram accounts’ bio and announcing their criminal intent.
Hacking Instagram accounts not new
Hacking Instagram is hardly a new phenomenon. Influencers have frequently fallen victims to fake promotion offers only to lose their accounts. However, hackers have become emboldened by inaction and bureaucracy that they can openly announce their intentions.
“Because of the difficulty in contacting a human when dealing with social media account issues, this can make taking back control of the account difficult or impossible,” says Kron noted. “Any recovery emails or codes sent in the account recovery process are instead sent to the attackers.”