• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   How a Hacking Group is Stealing Popular Instagram Profiles

How a Hacking Group is Stealing Popular Instagram Profiles

  • Posted on:February 28, 2019 at 5:18 am
  • Posted in:Bad Sites, Social, Spam
  • Author:
    Trend Micro
0

by Jindrich Karasek and Cedric Pernet (Threat Researchers)

Social media influencers build and expand their business or brand through credibility and authenticity to their audience. For hackers, however, they could be seen as trophies. That’s what happened to a photographer with more than 15,000 followers on Instagram, when she had her account stolen.

A closer look into the incident revealed that the hacker got into her account through phishing. While it seemed straightforward enough, we also found that targeting popular Instagram profiles has become a modus for a certain group of Turkish-speaking hackers. And by abusing Instagram’s account recovery process, they were able to keep the stolen account even if the victim squarely followed the process.  We’ve seen cases where owners of Instagram profiles with followers between 15,000 and 70,000 were hacked and were never retrieved. The victims ranged from famous actors and singers to owners of startup businesses like photoshoot equipment rentals.

The group also engages in digital extortion. Once a victim tries to reach out to the hacker, they would be wringed to fork over a ransom or nude photos and videos to get the account back. Of course, the hackers never give it back.  Indeed, this kind of attack — targeting high-profile accounts or social media influencers — highlights our predictions for this year’s threat landscape.


Figure 1: A visualization of how the hackers are stealing the Instagram profiles

Attack chain
Analysis of the phishing kit revealed that the hosting system blocks requests from wget. We managed to obtain the phishing kit by spoofing a user agent.

The compromise starts with a phishing email pretending to be from Instagram. The email prods the potential victim to verify the account to get the Verified badge for the user’s Instagram profile. Note that Instagram has specific requirements and the verification process happens only after a user requests for it. Instagram doesn’t ask for credentials either.



Figure 2: Screenshot of the phishing email asking the user to verify his Instagram account



Figure 3: The phishing page the user gets redirected to (left) and another that asks for the user’s email credentials (center); after credentials are keyed in and submitted, the user will be redirected to a page that notifies the profile has been verified (right)

Once the user clicks the “Verify Account” button, he will be redirected to a phishing page that asks for the user’s date of birth, email, and credentials. When we first saw these pages, they didn’t have any data validation on the input and returned the same screen even after submitting an empty form. However, they’ve since added basic data validation by not letting the user submit an empty form.

Once the attacker has access to both the victim’s Instagram profile and the email related to the account, the hacker can then modify the information needed to recover the stolen account. The victim will also be prompted to enter his email’s credentials. Once submitted, a badge notification appears, but for only four seconds. This is a trick to give users the impression that their profile has been verified.

After some time, the phishing page will be diverted to Instagram’s website. This is a common tactic in phishing. It’s likely that the victim would already be logged in with cookies, so the victim may just be diverted to his Instagram profile. Since we tested the phishing kit in a clean environment, we only got Instagram’s login page.

The hacker’s modus
We looked further into these cases to learn about the hackers’ motives and how they operate. In an Instagram profile they’ve hacked, they changed its username to “natron_raze”, probably to indicate it was hacked. The email associated with the profile was also immediately modified. After some time, the account’s email was changed again. The trick here is to flood the victim with Instagram’s security emails asking if the changes were legitimate. The hacker would also try to draw the user’s attention by defacing the profile.


Figure 4: A defaced Instagram profile aiming to get attention from its owner

After the profile was compromised, other accounts immediately followed it. Some were fake profiles, while the others were either previously stolen profiles or the hackers themselves. After some time, we saw the hacker removing the hacked accounts from his follower lists, although some returned. This could probably be because the hacker realized that his modus was being monitored.

In one instance, we saw the hacker threatening to delete the account or never return the stolen profile unless the victim pays a ransom or sends nude photos or videos. The hacker also let others know he stole another account, as shown in Figure 4.


Figure 5: Screenshots of the hacked and defaced Instagram profiles

Searching for more information on “Hesap Ebedi,”(Turkish words for “account” and “eternal”) we found a forum from a hacking group discussing how to manage stolen accounts so their owners cannot get it back, even with the help of Instagram’s account retrieval process.


Figure 6: Forum post on turkhackteam mentioning the attack dynamics of stealing Instagram accounts

We reached out and disclosed our findings to Facebook and Instagram but have yet to receive a response as of this writing.

Defending against phishing
The hackers in these instances lure victims into handing out personal information to get an incentive (such as a blue badge in their profile). Their mimicry of Instagram’s emails also made their malicious emails appear legitimate. Here are some of the red flags users and businesses can watch out for:

  • Use of domains other than the social network’s own
  • Dubious font styles (i.e., usage of screenshots instead of actual images)
  • Incorrect grammar and punctuation
  • Emails that ask for credentials; social networks never ask for them outside of their actual, secure login pages

Trend Micro Smart Protection Suites and Worry-Free™ Business Security protect users and businesses from these phishing attacks by detecting malicious files and spammed messages and blocking related malicious URLs.

Indicators of Compromise (IoCs):
IP address related to the phishing attack: 

  • 185[.]27[.]134[.]212
  • 104[.]24[.]119[.]10
  • 2606[:]4700[:]30[::]6818[:]760a
  • 2607[:]f8b0[:]4864[:]20[::]243

URLs related to the phishing attack:

  • hxxps://2no[.]co/2WPr35
  • hxxps://confirm[-]service[.]tk
  • hxxp://instagrambluetick[.]ml/?i=1
  • hxxp://instagrambluetick[.]ml/mailconfirmation[.]php
  • hxxp://instagrambluetick[.]ml/confirmed[.]php
  • hxxps://Instagram[.]derainbow[.]es
  • hxxp://urlkisaltma[.]com/27rjN
  • hxxp://urlkisaltma[.]com/farES

Related posts:

  • ‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information
  • Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole
  • Phishing Attack Uses Browser Extension Tool SingleFile to Obfuscate Malicious Log-in Pages
  • Powload Loads Up on Evasion Techniques
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: instagramphishing

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.