Instagram continues to increase in popularity and unfortunately cyber criminals have caught on. A recent Instagram attack has highlighted an important phenomenon—the blending of social media and email attacks. The attack, which netted cyber criminals tens of thousands of euros, spotlights that email and social media channels often share a criminal connection. Sharing threat intelligence between these two channels will be vital to combatting future cyber attacks.
What happened
It appears that two Dutch hackers sent email phishing lures to individuals with large Instagram followings (e.g. rappers and celebrities) to steal their Instagram account credentials. The fake emails appeared to originate from Instagram itself and asked potential victims to login to a bogus Instagram destination. This initial phish worked to the tune of more than 100 Instagram accounts. The hacker then used those stolen credentials to take over accounts and approach brands with offers to promote their products on Instagram for a fee (by wearing their clothing, etc.). The attackers managed to siphon tens of thousands of euros from brands that fell for the con.
Why is it important?
At Proofpoint, we see threat actors using spoofed or hacked email accounts to impersonate high profile individuals all the time. We see similar impersonation tactics used in the social media world with fraudulent and hacked social accounts. The recent Instagram incident in Europe is interesting because it incorporates a creative combination of both email and social impersonation.
The attacker first impersonated Instagram via email to steal account credentials. With account credentials in hand, they assumed the account owner’s identity to con their target brands. Just as consumers around the world blend email and social media in our everyday lives, attackers are learning to do the same. Social media attacks are mirroring email attack techniques that have been successful for years.
This Instagram attack also highlights the increasing value of stolen social account credentials. The black market makes it possible to buy stolen social account credentials at prices comparable or greater than credit card data. Rather than buy mainstream credentials, the Dutch hackers devised their own phishing scheme targeting high profile and therefore high value accounts.
So why are attackers targeting social accounts?
Hacking into a popular brand or famous individual’s social media account delivers trusted access to hundreds of thousands, or in many cases, millions of consumers. This puts bad guys in position to assume the identity of the brand to carry out a wide range of scams or distribute malware across massive audiences. By comparison, gaining control of an individual email account delivers trusted access to that individual’s personal contacts.
It is critical for security teams and individuals to understand that familiar email attack schemes have moved into social media. Most people are cautious of offers, links and attachments in email. That same caution needs to apply to social media. The lines between social, email, mobile and other communications channels are decreasing—and cyber criminals are using the same techniques. At Proofpoint, we share threat intelligence between social media, email and mobile to inform our security measures. The more information we share; the better protected our customers become.