The activity continues as of this publication.
Organisations typically focus on traditional enterprise cybersecurity threats. However, some threats are more subtle, targeting organisations on unexpected platforms. In October 2021, Secureworks Counter Threat Unit (CTU) researchers identified a phishing campaign that hijacks corporate Instagram accounts, as well as accounts of individual influencers who have many followers. The threat actors then extort ransom payments from the victims. The activity continues as of this publication.
Baiting the hook
The phishing campaign begins with a message that purportedly originates from Instagram and alerts the victim to a potential copyright infringement issue. The “Appeal As ” link in the message is a shortened Bitly URL that resolves to an attacker-controlled phishing domain. The phishing site is customised to mimic the victim’s Instagram account.
Reeling the phish
When the victim checks the box indicating their objection, the “Go to Appeal Form” link becomes active. This link leads to a login screen that prompts for the victim’s password. If the victim provides their password, the threat actors harvest the credentials and gain access to the account.
Releasing the catch…for a price
After gaining control of the Instagram account, the threat actors change the password and username. The modified username is a variation of “pharabenfarway” followed by a number that appears to be the number of followers for the hijacked account.
The threat actors add a comment to the profile that “this Instagram account is held to be sold back to its owner.” The comment includes a link composed of a shortened WhatsApp domain and a contact number. Clicking the link opens a WhatsApp chat conversation prompt with the threat actors. The threat actors also contact the victim via text message at the phone number listed on the account and start negotiating a ransom in exchange for access to the account.
CTU™ researchers identified numerous Instagram accounts compromised by pharabenfarway, indicating this campaign is widespread. CTU analysis revealed a large list of domains used in the campaign. Based on the domain creation dates, the campaign likely started in August 2021. A September underground forum post references pharabenfarway and advertises hijacked Instagram accounts for up to $US40,000.
Identifying the “phisherman”
Analysis of one of the IP addresses that hosts several of the phishing domains led CTU researchers to the ‘pbfy. business’ website. This website appears to belong to Pharaben and Farway, the threat actors likely operating this campaign. The threat actors self-identify as “advanced experts in social media and hacking” and provide their Instagram handles along with WhatsApp contact numbers. Pharaben’s contact number uses a Russian country code, and Farway’s uses a Turkish country code.
In addition to the Turkish country code, other aspects of this campaign also suggest that at least one of the threat actors could be in Turkey. In one incident, threat actor communications originated from a Turkish-language version of Instagram. Additionally, the page source of one of the phishing websites references the Turkish hizliresim.com file-sharing service. The infrastructure associated with this campaign is based in Turkey and other countries.
Organisations should include social media accounts for the company and high-profile staff members in their risk assessment models. Mobile apps are a common attack vector. Use of multi-factor authentication can limit unauthorised access. While social media account takeover may seem insignificant, threat actors could access email accounts or other corporate resources if passwords were reused. Additionally, threat actors could abuse hijacked accounts to damage the organisation’s brand as further leverage to obtain a ransom payment.
