After taking control of an account, hackers often ask for a ransom in exchange for not deleting it
Usually, after the victim pays, the hackers will not return the account and ask for new payments.
The social media have become one of the most successful communication channels and platforms such as Facebook, Twitter and Instagram They are used daily by millions of users, both for personal and commercial purposes. Only Instagram has more than 1 billion users per month, approximately one eighth of the current world population.
The cybercriminals more and more frequently come to these popular sites to hunt for prey for the ‘hacking’ and extortion. In recent years, experts at cybersecurity company Trend Micro have observed various groups and baits linked to these schemes.
For maximum impact, the cybercriminals behind this campaign they persecute the ‘influencers’ of social networks, a pattern that has also been seen in previous campaigns. Having accumulated not thousands but millions of followers and often making money from brand offers, affiliate marketing and other means, influencers have a lot to lose if your accounts are compromised.
How Instagram accounts are ‘hacked’
To attract the targets, hackers often disguise their accounts as tech support accounts. Sometimes they assume the identity of a friend of the target account owner. They then use emails from ‘phishing’, ‘apps’ courier like Telegram and WhatsApp, or Instagram itself to reach the potential victim. To do this, they create new accounts or reuse stolen accounts.
The content of the ‘hackers’ messages states that the account owner has committed a copyright violation or they can provide a verified credential. According to the message of the ‘hackers’, the account will be deleted if the user does not verify their account by entering your details on a web page to which the hackers include a link in the message. The link leads to a site of ‘phishing’ which mimics the official Instagram user interface.
If the user hands over their real credentials, the cybercriminals proceed to change the passworda of the account so that original owner lose access to the same. Then they mine the account downloading all images and messages manually or via Instagram’s data backup feature. Hackers can even modify the account bio, share content through the ‘Stories’ function or reach the victim’s contacts.
Negotiating with victims
At the same time, hackers begin to negotiate with the victim. They usually manage the ‘hacked’ account while the victim talks to them using a different account. They then demand a payment in the form of bitcoin, prepaid credit cards or vouchers in exchange for reestablishing access. Based on the activity detected in some bitcoin wallets related to this campaign, it seems that some targets could have paid, as detailed from Trend Micro.
However, negotiation is nothing more than a ruse. They do it just to that the victim is not forced to report the incident through the appropriate channels And so they can save some time, since downloading all the account data can take up to two days. After the victim pays, the hackers will not return the account. Rather, they will only ask for more payments.
In many cases, a single malicious actor manually compromises multiple accounts at the same time. There are also cases where each malicious actor belonging to a group has a designated role in the campaign, such as the operator of the ‘hack’, the payment collector or the leader who oversees the operation.
How to keep accounts safe
Users, for their part, can protect their Instagram accounts -or any of their online accounts- by following a series of basic safety recommendations offered by Trend Micro experts.
First, they advise users to set up a two-factor or multi-factor authentication. With this enabled, hackers will not be able to access an account even if they have the password. Instagram and many other sites have configuration settings for this.
It is also advised that never open links in emails and messages from unknown sourcesas these links can lead to phishing sites. Users can consult the official support page of the affected service or website for more information in the event of ‘hacking’ or account deactivation.