High-profile accounts on Instagram are being targeted by phishing and ransomware attacks, with evidence that many are paying the attackers.
Hackers are gaining access to accounts via phishing scams; posing as personal representatives from well known branding companies, they are contacting the victim with a proposal to start a partnership, Motherboard reports.
The scammer sends a link for their own Instagram page to the victim. However the link is a fraudulent Instagram login portal, once clicked the victim is requested to renter their login details which are then captured by the attacker.
See also: Company123! Lessons from a Year of Penetration Testing (2FA, Anyone?)
The well-documented attacks have not been commented on yet by Instagram.
The attacker then sends a message to the victim stating that their account is held captive and that they now have three hours to pay a ransom in bitcoins or the account will be deleted permanently.
At this stage the victim panics, they are looking at not just their account been held hostage, but all of the followers they have cultivated and built up over time, these are the real hostages. A new account can be created, but it is the followers that are hard to replicate.
Fearing the worst, many of the victims pay small sums amounting to a couple of hundred pounds to rescue their accounts.
However, in an investigation by Motherload they found that the attackers took the money and deleted the accounts anyway.
Instagram Ransoms
A fitness-focused Instagrammer Kevin Kreider fell victim to this scam and paid attackers a small sum to retrieve his account, unfortunate they did not release it and for a while it appeared to be removed from the platform.
Mr Kreider had his account returned, but it is still unclear whether this was due to an intervention by Instagram or the attacker keeping up they end of the deal.
See Also: Instagram Tops 1 Billion, Launches Long-Play Video App
Avast Security expert Luis Corrons commented in a blog post that “These attacks can easily be avoided by enabling two-factor authentication,” he explains. “I believe that well-established social media companies should in fact enable 2FA by default; this alone would decrease the number of hacked accounts to almost zero.”
Instagram does have two-factor authentication, but it is not set as default and users have to manually established the security measure themselves.
As Instagram notes: “There are several two-factor authentication methods you can use with your Instagram account. To get started with two-factor authentication, choose either: Text message (SMS) codes from your mobile phone. Login codes from a third party authentication app (such as Duo Mobile or Google Authenticator).”