Instagram is one of the most widely used social media platforms and hackers are always looking for a way in. The latest trick is a targeted attack on verified accounts. The hackers send a message claiming that an image on the user’s account is violating copyright. This is sent along with a link to a form to prove otherwise and the user must take action within 24 hours.
Actress Aparna Gopinath fell prey to such an attack recently. The user who messaged her had no followers, no following and no posts and wasn’t a verified account.
“I’m not very tech savvy so when I got the message I panicked and clicked the link,” she says. She filled in her email id and phone number once she received the message. “In six hours they had hacked my account and changed the phone number and email id associated with it and I was locked out of it,” she recounts. Her main worry was how it would affect her almost 70,000 followers. “I mailed Instagram and Facebook with the details of what happened. They responded in an hour saying they had to verify the details. It took them almost two days to get the account back,” she says.
By the time she got it back, all her posts were deleted, everyone she followed was unfollowed and the account name was changed to instagram support. “Once I got it back I saw that they had sent the same copyright message I received to over a thousand other people,” she says.
Independent security researcher, Karan Saini, says that verified accounts have a higher status than other accounts. “Cyber criminals go after these accounts for an array of reasons, one is the legitimacy that comes with it. They can continue with the copyright claim scam with even more credibility once they have access to a verified account. People tend to take a message from a verified account more seriously as they deem it more credible,” he explains.
He says that these accounts are also sold for their following and the blue tick. “Such marketplaces have existed for a while, and have gotten increasingly popular with Instagram’s adoption,” he says.
How to know if a message is fake
No official communication from Instagram will be sent to you via direct messages, says Karan. You may get a mail from an id that ends in instagram.com or facebook.com or a notification in your notification tab.
“A phishing message will ask you for your username, password and contact details. The URL will appear to be something that’ll imitate an Instagram or Facebook property,” he explains. Look out for bad grammar and exclamation marks.
Aparna was advised to complete her two factor authentication to prevent future hacking attempts.
Money making scam
Verified accounts can sell for anywhere between 200 dollars to 15,000 dollars. “They can go for an even higher amount depending on the number of followers but if there is a high follower count, it’s more likely that the account will be recovered so hackers/cyber criminals may sell shoutouts/ promotional posts from the account for the duration it is compromised,” he explains.
Why are non verified accounts hacked?
Non verified accounts are much harder to retrieve, says Independent security researcher, Karan Saini. “Depending on the number of followers, kind of account and the kind of engagement it gets it can sell for upwards of 50 dollars,” he says.
He explains that individuals operating pages about cars may buy a few car related accounts and use it to create a following and promote sponsored content.