Attackers nowadays hit organizations when they least expect it, targeting them using platforms that are less likely to be thought about. However, we can’t say the same thing this time around, Instagram accounts of companies and influencers with huge followings are being targeted.
The phishing campaign started back in October 2021, or at least that’s when the research firm discovered it. As of today, it’s still active and a lot more Instagram accounts are at risk.
Why? Well, the phishing campaign ends up with ransomware. The attackers take over prominent accounts and demand a ransom. Typical ransomware, but it has a huge impact. So, how does it begin? What is it all about? We have everything you need to know.
Instagram Ransomware Attack – Huge Followings, Perfect Target
Not long ago, hackers implemented the MasterFred malware within fake Android apps that disguise themselves as legit applications such as Instagram.
Popular accounts are always the target as we’ve seen with TikTok and Twitter before. With TikTok, the attackers disguised themselves as TikTok employees and threatened the users with imminent account deletion. With a single click on the link, the attackers would completely take over the victim’s account.
Now, Instagram suffers the same fate with a similar threatening message as the one with TikTok. This time around, the threat actors are sending a message pretending to be Instagram, notifying high-profile users of a purported instance of copyright infringement.
In other words, the attackers prey on the victims’ fear factor. With that, they could easily trick them into doing exactly what needs to be done for the scam to work. At first, they send an email with a message that reflects the copyright predicament.
In the message, the victim will find a shortened Bitly URL that resolves to an attacker-controlled phishing domain. Apparently, the threat actors pick their targets very carefully. That’s why the page the link directs to perfectly mimics the victim’s account.
Now here’s where the malicious magic happens. Checking the “I don’t think this post violates copyright and I object” statement will directly activate the link. If the target provides their password, the attacker harvests the credentials and gain access to the account.
After gaining control over the account, the threat actors’ audacity reaches a whole new level. They change the username and password and change the name of the account to “pharabenfarway” followed by what is supposed to be the number of followers the user has.
Finally, the attackers add a comment to the profile that says: “this Instagram account is held to be sold back to its owner.” They also include a link composed of a shortened WhatsApp domain and a contact number.
Once the victim clicks on it, it’ll redirect them to a WhatsApp chat, which is presumably to negotiate a ransom in exchange for access to the account.
Pharabenfarway – Not their First Time
Several research firms have stated that this campaign has been around for quite some time now. They use different domains to commit their malicious acts.
According to the domain’s creation dates, the campaign probably initiated back in August 2021. Moreover, multiple underground forums have referenced pharabenfarway and advertised hijacked accounts.
Yeah, they’re selling them, and not for a cheap price. According to CTU™ researchers, users on the forum are advertising such accounts for up to $40,000.
To add insult to injury, the threat actors praise themselves for the job they’re doing. In fact, they’re not afraid to go public. When the CTU researchers were analyzing the campaign, it led them to the ‘pbfy . business’ website.
This website belongs to Pharaben and Farway, the threat actors behind everything we’re talking about today. The image below showcases their website and what they state about themselves.
We can see both phone numbers on the website. Once represents a Russian code and the other one seems to be in Turkey. In fact, by analyzing the campaign, researchers suggest that at least one of the threat actors could be residing in Turkey.
In fact, the threat actor communications originated from a Turkish-language version of Instagram in one of the incidents.
Instagram Cyber Attack – One Click, Devastating Results
Instagram, Twitter, TikTok, and other social media platforms have become constant targets for cybercriminals. Users work hard to build a reputation and a huge following base.
However, as the numbers grow, they themselves grow as a target. When it comes to protecting your accounts, you must make sure that first and foremost, you protect your mobile applications.
Moreover, you should always enable multi-factor authentication as it limits who can access your accounts. As you can see, hackers abuse hijacked accounts to damage an organization’s brand and reputation. Not to mention the leverage they gain to ask for a ransom. Stay safe.