A travel blogger, with more than 100,000 followers on Instagram, has described how her account was wiped after she refused to hand over hundreds of dollars worth of Bitcoin to an extortionist.
Delaine Maria D’Costa runs the “Of Travels & Tales” blog, where she documents her adventures around the world with her husband Jackson.
The couple say they have visited 127 cities in over 42 countries around the globe, documenting their journeys on their Instagram channel.
With regular updates (by the look of things they are currently in Uruguay) the couple have managed to amass 105,000 followers. Okay, that’s hardly Kylie Jenner’s 118.6 million Instagram fans, but it’s still not to be sniffed at!
And it’s no surprise to learn that sometimes hotels and other lifestyle brands might reach out to Delaine and offer her incentives to talk about them, or include them in the couple’s photos.
Which means that Delaine wouldn’t find it terribly peculiar when at the end of last month she was contacted via email by someone calling themselves “Angelina Reshetnikova”, and claiming to represent an online store called “Vince”:
Hello, I am a representative of the online store @ Vince
Our store would like to present a new collection of clothes, and we would like you to become her face. What do we want from you? It’s simple.
1. What is the cost of an advertising post on your page?
2. Possible discount for a promotional post during the submission of our clothing as a gift?
Here is a link to our new collection, you can choose any dress:
Maybe if you were excited about a free gift, forging a relationship with a new sponsor, or simply skimming half-distracted through your email while holidaying in South America, you might click on the link without thinking too.
Unfortunately, that’s what Delaine did, and she inadvertently entered her Instagram password onto a site designed to look like the real Instagram login page. She had been phished.
After changing the password, username, and phone number associated with Delaine’s Instagram account, the hacker sent her a series of emails via the Tutanota secure messaging service, demanding that a ransom be paid – or her account would be wiped. All that work spent gathering a following of over 100,000 fans would be flushed down the toilet.
Delaine explains that she tried to negotiate with the extortionist for three days, and eventually the ransom demand was reduced from $400 to $200 worth of Bitcoin:
“I also received this mail from him saying that he would delete my account if I didn’t send $400 dollars to his bitcoin account. He did a countdown and 1 hour before my account was supposedly going to get deleted, he said he can bring down the price to $200. That night, I couldn’t sleep (and cried) and Jackson agreed to pay him the following day. We started a conversation with him again where he said money was his concern and he’d release my account in 10 minutes after I paid him. Jackson tried to do the payment (it didn’t go thru, thank goodness). What guarantee was there that we’d get the account back?”
With the payment failing to go through, the account was – sure enough – wiped.
That would be traumatic enough, but what Delaine reports is that her attempts to regain control of the account (and restore her followers and archive of travel photos) was massively frustrated by Instagram’s processes.
“I have been struggling my butt off to report this to Instagram. Their “hack” reporting option on the app is flawed and doesn’t help anyone who has lost complete access to their account. It basically takes you in a loop with no solution. I tried reporting under stuff like sexual abuse, impersonation, etc in the hope that I would catch their IG’s attention. They managed to reply back but everything was negative. Basically my response wasn’t good enough to prove that this was my account.”
Delaine says she struggled for five days to get a helpful response from Instagram. When she called their offices on the telephone she was told that she must contact them via the app, but she felt unable to do that because her “user name, phone number and email ID don’t exist on Instagram any more.”
Eventually, Delaine received an email from Instagram asking her to post a picture of herself carrying a placard with her name on it, the name of her Instagram account, and a code number.
However, Instagram’s demands for further information to verify her identity meant that she was still locked out of her account:
“This went on for 5 days with Instagram asking me which device I used to register my account in freaking 2012. I don’t remember what I did last week, forget about 2012! Again a dead end. I sent various photos of myself to them with a code (looking like a criminal) as instructed by IG, still no use.”
At this point, the story of Delaine’s Instagram account takes a mysterious turn.
What we know is that she managed to regain access to her account, and her travel photos and followers are now back for anyone to see.
What we don’t know is *how* she managed to do this.
Here’s what she writes:
“Finally after 6 days, a saviour (who I’m not in a position to name) was sent to help me. They restored my account late last night. FYI, if you’re not Selena Gomez or a celebrity, or dont know anyone working at Facebook/Instagram don’t expect even 0.1 percent help from Instagram’s Help Centre on the app. If you’ve lost access to your account, its as good as losing your account. Please take extra precautions like installing two factor authentication and be careful of the emails you receive.”
My guess is that Delaine managed to bypass Instagram’s normal (failing) methods to regain control of her account, and instead either managed to contact someone directly at Instagram (or its owner Facebook) or found someone else who was able to put her in touch with the right person.
In my own experience, you can get the attention of a social network if you manage to get the interest of the media, or find someone who will go in via an unorthodox route (such as the company’s PR department) if all else fails.
Of course, it’s an awful lot easier to get the attention of the likes of Instagram if you’ve been hacked and your name is Selena Gomez.
As we discuss in this week’s edition of the “Smashing Security” podcast, enabling two-factor authentication on your Instagram and using a password manager can help prevent your accounts from being phished.
Smashing Security #103: 'An Instagram nightmare, crazy iPhone deaths, and election hack claims'
Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.