CyberWire Daily - Instagram hijacks all start with a phish. [Research Saturday]
Episode Date: February 19, 2022Guest Marcelle Lee, Senior Security Researcher and Emerging Threats Lead, from SecureWorks joins Dave to share her team's work on "Ransoms Demanded for Hijacked Instagram Accounts." An extensive phish...ing campaign has targeted corporate Instagram accounts since approximately August 2021. The threat actors demand ransoms from the victims to restore access. Organizations typically focus on traditional enterprise cybersecurity threats. However, some threats are more subtle, targeting organizations on unexpected platforms. In October 2021, Secureworks Counter Threat Unit (CTU) researchers identified a phishing campaign that hijacks corporate Instagram accounts, as well as accounts of individual influencers who have a large number of followers. The threat actors then extort ransom payments from the victims. The activity continues at the time of the interview. The research can be found here: Ransoms Demanded for Hijacked Instagram Accounts Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So it was kind of funny, it actually came through one of our VPs, they had a friend that this had
happened to with their corporate Instagram account. So this person
reached out and was like, do you want to know about this? And then it got kicked down the chain
and I picked it up because it seemed kind of interesting. That's Marcel Lee. She's a senior
security researcher and emerging threats lead at SecureWorks. The research we're discussing today
is titled, Ransoms Demanded for Hijacked Instagram Accounts.
And now, a message from our sponsor, Zscaler, a leader in cloud security.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context. Thank you. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Let's walk through it together here.
Can you sort of take us through how someone would find themselves a victim of this particular attack? running where they would send a message either via Instagram or via email to their target.
And it said essentially that there had been some kind of, you know, copyright infringement
for something that they had posted on Instagram.
And please click on this link to, you know, appeal it basically.
So I thought it was unique in like, I've not seen that particular
kind of lure use before. I mean, obviously there's tons of fishing out there, but I don't know that
I've seen copyright infringement before. Yeah. It's interesting in that it, like it struck me
as being simultaneously benign, but also urgent because it's not, I mean, a copyright violation,
you know, okay. You could see that happening in the course of day-to-day stuff, certainly on
Instagram. But then the message says, if you don't follow through on this, we'll need to
remove your account. Yes. Yes, exactly. So, so of course it does have a bit of that sense of urgency, depending on how much you care about your Instagram account, I guess.
And, and, you know,
as well as I do that all this fishing works on different psychological
principles.
So I think really urgency and perhaps authority would be the two that I would
think of for this particular fish. So, and it was
also customized, you know, very specifically for their target. So, you know, it had the person's
name and their Instagram handle. So, you know, it wasn't just something that was just cast out there
kind of widely and not targeted at all. It was very specific. And as we revealed eventually
in the research is that they were specifically going after corporate accounts or accounts that
had a high number of followers, presumably because those accounts would be more inclined to
cough up a ransom to get their access back. So if I click through on here and I think my
Instagram account is in peril, what would happen next? So the next thing that happens is a page
comes up and it's a pretty good copy of Instagram's actual page. And again, another warning message
and telling you to go to the appeal form, but you have to log in at this point.
And of course, you're not on the actual Instagram site.
You're on a fake Instagram site, but a very well done fake Instagram site.
You know, there's a whole tier of how good these things look.
And these were pretty slick.
And I actually visited a number of them,
you know, myself to see what it looked like.
And the domain names that the thread actors were using,
you know, for the fake Instagram pages
had things like around like support
and support violation form,
a lot of IG hyphen, this, that, or the other.
So kind of had the appearance of maybe being legitimate for anybody who was actually looking
at the link closely.
They did set up quite a number of different domains.
And I mean, as of last week, this is still ongoing.
So I haven't looked lately, but I'm sure there's probably
even more domains than what we listed in the blog post.
So it then takes you to a fake login screen. And from there, what happens?
So essentially you'll put in your password, not you, of course, but you're way too savvy for that.
password. Not you, of course, but you're way too savvy for that. But the victim would put in their password. And at that point, the behind the scenes on this fake website, they harvest that information
and, and then, you know, press to manifesto, they now have the credentials for your Instagram
account. And so they immediately take over the account and then modify the account
page, like the Instagram social media page, to show that it's been taken over by these threat
actors. Yeah, that was a fascinating element of this to me. you all, you have a screen capture here in the research and they modify,
I guess, the about page on the account. And it says this Instagram account is held to be sold
back to its owner. Yep. And then they have their own, I guess, their own name in there as well.
Can you unpack that for us? Yeah, sure. So the Farabin Farway seems to be a combination of the two threat actors' names behind this whole campaign.
Then they tack on, after Farabin Farway, a number.
And so, like in the example in the blog post, it's 126K, which actually I didn't notice this.
Somebody else on my team noticed this. It's like, oh, that aligns with the number of followers.
So that seems to be the methodology for the naming of the account.
And it has the WhatsApp phone number, basically, or contact, not a phone number per se, but a WhatsApp domain with a contact number there for them to reach back to.
domain with a contact number there for them to reach back to. It's interesting because I didn't used to be a big Instagram user and I ended up getting an account just because I'm often doing
threat research that involves Instagram and you can't really see that much unless you have an
account. So now, like I just checked the other day, and if you search for Farabin far away,
you know, just in the search function of Instagram, you'll see there's
many, many, many instances of these hijacked accounts. And some of them, you can tell what
they are just by looking at the posts from the Instagram account, other ones you can't really.
And I've also seen sort of, you know, anecdotally, a number of people posting, you know, oh, my,
my Instagram account has been taken over by, you know, theseotally, a number of people posting, you know, oh, my Instagram account has
been taken over by, you know, these people. What do I do? So, yeah, they're pretty prolific. I was
really surprised to the extent of the activity. I have to say that that part of it leaves me
scratching my head a bit that if they're so out there in the open and they're consistently using this name,
this calling card, how has that not drawn the attention of Instagram to instantly and
automatically shut this sort of thing down when they see it? That puzzles me.
Yeah, it puzzles me too. I couldn't really opine on why or how, you know, Instagram does these things, but I think they're usually pretty on, you know, campaigns like this.
And I would imagine there would be a number of people who would have contacted Instagram about it.
So, you know, these guys, I'll call them guys, they may be women, but all their avatars and everything look like men.
Their OPSEC is not super strong, right? It wasn't hard to find their email addresses and their phone
numbers and so on and so forth. So maybe now that this blog is out, Instagram will take them down.
Let's hope. Well, you mentioned them having poor OPSEC. Let's explore that part together.
How did you go down that pathway and what were you able to discover?
Yeah. So I was able to discover some of their contact information through actually some of
the domain registrations were not private, which is rare these days. Almost always when you're going down that particular rabbit hole,
it's mostly a dead end, but in this case it wasn't.
And then they actually had their own little website with an about us page
that kind of said a little bit about who they were.
And, and apparently they're into, I don't know,
I think it's Robert. No, I don't know, I think it's Robert.
No, I don't even know who these actors are.
I think it's the guy from Scarface.
And then I'm not sure who the other one is.
You might know. Yeah, it looks like maybe Pablo Escobar and Al Pacino, maybe.
There you go.
A couple of gangsters.
Imagine that, threat actors using images of gangsters in their iconography, right?
Exactly.
So in there, they have their individual Instagram accounts and their WhatsApp phone numbers.
And again, they're using the same name or sort of permutations of that Farabin Farway thing.
So that was actually not too hard to discover.
And then they also had the underground forum listing where they were saying that they would
offer access to these accounts for sale potentially. So they left a lot of breadcrumbs,
I would say, basically. And so part of this is that they're trying to ransom these accounts
back to their original owners. As you pointed out that they're trying to ransom these accounts back to their
original owners. As you pointed out, they seem to be targeting corporate accounts where I suppose
they feel as though they might be more inclined to open up their wallet. And I mean, honestly,
and I don't think I got into this in the blog, but they weren't asking exorbitant ransom amounts,
at least not that I saw. The few where I was able to see the amount
being asked, it was, you know, around like $500. So, so I think, you know, they're in it for volume
and, you know, if you, you can get a hundred different companies to pay you $500 in a week
or whatever, then that's not too bad. Yeah. Yeah. Almost a nuisance. And I suppose
I don't want to go so far as to say an investment in reminding a company that they should be using
multi-factor authentication, but there you go. I think that I would pay you $500 to get that
kind of advice if I was an organization. Yeah. Yeah. What were you able to
suss out here in terms of where these folks might be coming from? Yes. So there were some breadcrumbs
here as well. You know, we tend to kind of assume that all the cybercrime type stuff is coming out
of Russia, but not necessarily. And in this case, it seemed like one of the
threat actors was from Russia, but the other one appeared to be from Turkey, which is not something
that I see all that commonly. And, you know, some of the things that pointed towards that were
Farabin, in this case, he had a Russian country code for his phone number. And then in the,
the page source, basically of these different phishing sites, there is a document sharing
service that they were using to like reference different files. And that document sharing
service was, um, a Turkish company, his lorism something.com. I'm sure I'm mutilating the pronunciation of that.
But, you know, I was like, oh, that's interesting.
And then there were a couple of instances where I found the Instagram account being used to communicate with the victims was a Turkish language version of Instagram.
with the victims was a Turkish language version of Instagram. So, yeah, so it pointed certainly to at least one of these threat actors being based in Turkey. Yeah. So what are your recommendations
then? If I'm the person at my organization who's charged with, you know, protecting our WhatsApp
social media account, what sort of things can I put in place to keep these folks away?
Yeah, well, you already said the number one thing, right?
Multi-factor authentication.
It doesn't cure everything, but it certainly presents a stumbling block.
So, you know, if you're trying to hack into somebody's whatever account, right, if there's multi-factor authentication, it's just going to make it that much harder.
whatever account, right? If there's multi-factor authentication, it's just going to make it that much harder. And chances are, you're just going to move on to the next potential victim. And we
see that all the time at SecureWorks with, you know, not Instagram hacking, but just really,
you know, trying to get in through like VPN access or whatever, you know, multi-factor
authentication is almost always one of our top recommendations around like incident response
engagements that we do i think with social media sometimes too like i think shared logins are used
like you know a company might have like oh you know social media at xyz company or instagram
at xyz company which is a easy to guess, and B, the password's being shared around.
So that's not like a super great practice.
It's much better to have something unique that, you know,
only one person has access to.
Or, of course, use a password manager where it's, you know,
that's something I always recommend to people anyway is then you don't have
to be sending passwords around by text or email or carrier pigeon, whatever people do.
The other thing that strikes me about password managers that I don't hear people mention all that often is that a lot of them will try to protect you from logging into a spoofed site.
will try to protect you from logging into a spoofed site.
It'll check the URL and come back to you and say,
hey, are you sure about this?
Because we don't really think this is Instagram.
Yeah, it's like, are you sure you want to fill in?
I see that with the one that I use all the time,
and it's usually because I'm on some mobile version or something that it's not recognizing.
But yeah, absolutely.
That's a great point because it's another sort of
safety measure that is baked into a lot of the password managers. And also, you know,
the password managers will of course let you know if you're reusing passwords. And that's, you know, that's the thing that concerns me about this kind of campaign. It's like, sure,
maybe you don't really care that much if your instagram
account gets hacked but if you're using like the same credentials for you know corporate access
your email or whatever which as we know people do tend to reuse then that's not great you know
then it turns into a whole different level of being problematic so definitely password managers help with that aspect too.
Do you have any sense for how successful this gang has been? Is there any Bitcoin accounts
or anything like that, that we have any notion for how many folks are paying up?
Yeah, I did come across some wallet IDs and it looked like basically at the time that I originally did the research,
which was a couple of months ago, they had been making many transactions like in and out, but
it looked like they were pretty consistently having a balance of like 20,000 at a time before
they would like move it out to someplace else or something. So again, you know, not a huge amount, you know, when we're
used to hearing about ransoms that are, you know, in the millions and millions of dollars, but,
you know, they clearly have been successful in this campaign and continue to do it as far as I know.
Our thanks to Marcel Lee from SecureWorks for joining us.
The research is titled,
Ransoms Demanded for Hijacked Instagram Accounts.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios Thank you. Justin Sabey, Tim Nodar, Joe Kerrigan, Carole Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.