A phishing campaign is targeting celebrity Instagram accounts with phony copyright claims used as a lure, and as you can probably imagine people are falling for it.
The initial steps of the scam are straightforward: A celebrity receives a notice about a copyright infringement via Instagram direct message. The gambit: Most folks in the entertainment industry know about copyright infringement. It’s a shrewd prompt. The message appears to be from an Instagram administrator. The target is informed that the issue can be resolved, but the admin needs the user’s login credentials.
The scheme becomes more sophisticated once the threat actor has access to the target’s account. Once logged in, they use Instagram’s API (application programming interface) to change the phone number and email address associated with the account. They also post content to prove they have control. The email and phone change allows them to reset the account password and hijack the account.
“They have control of the account’s email and phone number, and they’re clever enough to reset the passwords of these celebrities through Instagram. That’s where the danger comes in,” said Ondrej Krehel, founder and CEO of LIFARS, a cybersecurity firm that assisted one of the victims. “The threat is extortion, especially if they start posting inappropriate content to the accounts.”
The attack can be persistent. Victims who were able to retake control of their account were hijacked again by the threat actors because of the API exploit. They still had the email and phone connection.
“If the victim tries to contact support to reset their account, Instagram support has two tickets, and there’s a 50/50 chance that Instagram gives control of the account to the wrong person,” said Krehel.
Celebrities are targeted on Instagram because of their high visibility, the monetary value of their influencer status and their celebrity-studded contact lists.
“When you sign into Instagram and you sync your contacts, you’re giving any threat actor potentially a brand new list of people to phish,” Krehel said. “A celebrity is usually connected to other celebrities.”
The phishing campaigns seem to have originated from Turkey.
Krehel is critical of Instagram’s relative lack of security settings, which would ideally block login attempts from different geographic locations.
“They [Instagram] detect it and see that they’re signing on from another country, in this case Turkey, but they don’t do anything about it,” said Krehel. “Instagram doesn’t check. There should be more security in authentication and authorization, especially given that the new login geolocation is visible for the first time to the Instagram account.”
“Other social media platforms recognize the unknown sign-ins and require further verification. If Instagram implemented that, these celebrities would not be hacked,” said Krehel.
We checked in with Instagram, but no one responded to comment on this story.