Attackers are leveraging hacked Instagram accounts to tantalize unsuspecting users with adult dating spam.
Satnam Narang, a senior security response manager at Symantec, notes that for most of the hacked accounts he and his fellow researchers have come across, the compromise is all-encompassing. That means attackers modify the hacked accounts’ username, write a different bio, and upload new pictures of a sexually suggestive nature, in addition to making other modifications.
For some reason, a few of the hacked accounts don’t try as hard to close the deal. Those spammers don’t change the username or upload any new pictures.
Whether borne by indolence or inventiveness, that tactic is surely enough to ruin the romance along with someone’s reputation on the social networking site.
That’s not even the strangest part. In either case, the fraudsters never delete any pictures uploaded by the original account owners. Kinky? I think not.
Each hacked profile flirtatiously instructs users to click on a link. Doing so brings them to a website controlled by the attackers, where the scams reach their climax.
Narang explains what happens next:
“This site contain[ed] a survey suggesting that a woman has nude photos to share and that the user will be directed to a site that offers ‘quick sex’ rather than dating. Interestingly, this page only appears on mobile browsers. If the user tries to visit the URLs on a desktop computer or laptop, they are sent to a random Facebook user’s profile.
Once a user completes this survey, they are redirected to an adult dating website that contains an affiliate identification number. For each user that signs up to the site through this link, the affiliate, or in this case the scammers, will earn money.”
For each breached account, the attackers change the associated passwords. That’s no surprise; the scammers probably leveraged weak credentials combined with password reuse attacks to gain access in the first place.
Password reuse attacks have been on the rise in 2016. Over the past few months, Carbonite, Pandora, and GoToMyPC are just a handful of the sites which have instituted password resets after their hackers targeted their users with password reuse attacks.
To protect against these types of campaigns, users should implement a strong password and two-step verification (2SV) across all of their web accounts. Those measures will help users defend their accounts against spammers, as will a refusal to click on suspicious adult dating links.
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.