When someone finds their social media account compromised, they first think about letting their followers know. And they do. They warn others from reading any strange posts, usually containing a rogue link, before they sort out the matter behind the scenes.
Some curious followers who missed these posts backtrack the feed—only to find that nothing appears out of place. So where are they?
Clever attackers are using platform functionality to appear invisible. This way, the chances of catching them are small. Apart from the victims themselves, nobody may realize that something dubious was in full view of everybody in the first place.
You don’t see it…
Here’s a hijacked Instagram page.
Despite warnings by the account owner to avoid being ripped off by whoever took over their account, the page looks absolutely, positively normal.
Instagram page is still hacked!! This is not me ..... I do not have a spare £150 to give to 5 winners unfortunately........ If you reply you will be messaging some {redacted}. please just report the account if you can and you're on my instagram page. Instagram are sorting it although very slowly!!!
There are no odd links in the Bio; the photographs are untouched; the user name hasn’t been changed to anything peculiar. The page itself is acting as it should.
So what is the problem here?
…and then you do
Instagram has a feature called Stories, first introduced in 2016. It’s a quick and easy way to upload zinger-style posts, short clips, or anything else that’s supposed to be a passing thought. Stories only last for 24 hours and then self-delete.
A Story is designed to be evanescent—don’t log on to Instagram for 24 hours and you’ll miss it entirely.
As a result, people with bad intentions often hide their bogus postings in the Stories section instead of putting them directly onto the Instagram grid. This has a couple of advantages for the account hijacker:
- The self-delete feature is the perfect way for scammers to hide their tracks. Why clean up the mess when the platform does it for you after 24 hours? The only evidence left behind is direct messages or communication away from the platform.
- Account hijackers lure people into taking action. It might be blackmail, a promise of wealth, or a veiled malware download. Regardless, having these posts somewhat hidden away makes it feel more exclusive. If the offer sounds too good, they can argue that the take-up isn’t as significant as a victim may expect because only the lucky chosen few have spotted it.
Clouds in my coffee (in my cake, too)
Let’s go back to the Instagram page we were looking at previously.
Ignore the well-done cakes, and instead, let’s click the profile’s Stories.
Everyone is getting this wrong... an ex policeman...lost his house, his car, and his girlfriend, what did he lose first???!! The winner get £150. Need just 5 winners.
This post is only visible for a few seconds, sandwiched between other Story images on the user’s “roll.” I do love a good riddle and decided to try my luck.
At this point, we dropped communications and reported the account.
Don’t fall for sleights of hand or risk losing money
Sending this person your PayPal or phone number will undoubtedly not end there. If your email address isn’t secure, they could try and compromise and gain control of associated accounts. They could send you funds that may be stolen or try to tie you up in money mule scams.
Handing a stranger your bank details could land you in a similar situation. There’s always the risk of follow-up questions aimed at revealing more than you bargained for. Enough information provided could result in bogus direct debits. This also doesn’t exclude the possibility of them asking for credit card information at some point.
Next time you see a friend or stranger mention that their Instagram page has been hijacked, you’ll know exactly where to look if you can’t readily see the evidence.
Stay safe out there!
The post Warning! Instagram Stories hides a scam in plain sight appeared first on Malwarebytes Labs.