16 C
Wednesday, May 29, 2024

Hackers Demand Ransom for Hijacked Instagram Accounts

An extensive phishing campaign has targeted corporate Instagram accounts. The threat actors demand ransoms from the victims to restore access.

Hackers Demand Ransom for Hijacked Instagram Accounts

Secureworks has identified a phishing campaign that hijacks corporate Instagram accounts, as well as accounts of individual influencers who have a large number of followers. Hackers then demand ransom to be paid for the hijacked Instagram accounts from the victims.

The Phishing Campaign

The phishing campaign begins with a message that purportedly originates from Instagram and alerts the victim to a potential copyright infringement issue (see Figure 1). The “Appeal As <victim account username>” link in the message is a shortened Bitly URL that resolves to an attacker-controlled phishing domain.

- Advertisement -
Fake Instagram notice about copyright infringement. (Source: Secureworks)

The phishing site is customized to mimic the victim’s Instagram account:

When the victim checks the box indicating their objection, the “Go to Appeal Form” link becomes active. This link leads to a login screen that prompts for the victim’s password. If the victim provides their password, the threat actors harvest the credentials and gain access to the account.

After gaining control of the Instagram account, the threat actors change the password and username. The modified username is a variation of ‘pharabenfarway’ followed by a number that appears to be the number of followers for the hijacked account.

Researchers identified numerous Instagram accounts taken over by ‘pharabenfarway.’ An analysis of the phishing sites meant to harvest victim credentials shows that the campaign started around August 2021.

It was later found that the stolen accounts were sold on underground forums. One Instagram account, for example, was offered with a hefty price tag of $40,000.

Further analysis points to the campaign being operated by two threat actors named ‘Pharaben’ and ‘Farway.’ The first culprit used a phone number with a Russian country code while the second used a Turkish one.

Researchers claim that the investigation led them to think that the campaign might have originated in Turkey. In one incident, threat actors communicated using a Turkish-language version of Instagram. The page source for one of the phishing websites references a Turkish file-sharing service.

Website | + posts

Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.


Also Read