A hacking group has been phishing the owners of popular Instagram accounts, extorting the victims, and then keeping them from recovering the stolen accounts, according to new research that underscores how attackers are exploiting the value of social-media brands.
“We’ve seen cases where owners of Instagram profiles with followers between 15,000 and 70,000 were hacked and were never retrieved,” researchers from cybersecurity company Trend Micro wrote in a Thursday blog post. “The victims ranged from famous actors and singers to owners of startup businesses like photoshoot equipment rentals.”
As with many a breach, the attack starts with a phishing email. Trend Micro researchers got a hold of the hackers’ phishing kit to explore further.
The lure purports to be a message from Instagram asking users to get a “verified badge” and encourages them to submit login credentials. Once the hackers have access to the Instagram profile and the email associated with it, they can alter the information needed to recover the stolen account, the Trend Micro researchers said.
With a user’s Instagram footprint thoroughly compromised, the extortion attempts began. In one case, researchers said, a hacker threatened to delete the Instagram account or keep the stolen profile for good unless the victim sent nude photos or videos, or paid a ransom.
The Turkish-speaking group appears to have researched how to abuse Instagram’s account-recovery process on a hacking forum, according to Trend Micro.
There are software tools to block phishing, but people can also use their common sense as a defense. The researchers advised users to carefully check the domains from which they are getting emails and be on the lookout for unusual font sizes, bad grammar, and emails that ask for login credentials – something social-media platforms don’t do.
Like other major social media services, Instagram has had to grapple with efforts by hackers and propagandists to abuse its platform. In 2017, after hackers claimed to have compromised information on 6 million Instagram users, the company reportedly acquired web domains in an attempt to block access to the stolen data. Besides phishing attacks, SIM swapping is another way hackers acquire access to accounts.