Kassa: Lots of Instagram celebrities hacked via copyright infringement phishing scam

In February I was contacted by Dutch actress and singer Loes Haverkort that her Instagram account was hacked. She asked if I could help her out. Sure, I thought, maybe there was a quick way of helping her. Maybe I could find out who’s behind it, and maybe it’ll get interesting and learn something from it. And yes, it did get very interesting!

In my investigation I found out that lots of high profile international celebrities were hacked in an automated attack. This attack is going on for quite some time now. Instagram doesn’t seem capable of stopping it, and doesn’t seem to care much about it.

Via Dutch Tv program Kassa this research was broadcasted:

How are Instagram accounts hacked? Why would a hacker do this? What’s the business case?

How Loes’ account got hacked

But first start with the beginning. The hack of Loes’ account all started with the following direct message she received on Instagram:

Loes had a photo shoot a few days before she received this message and added a photo of it on her Instagram account. She thought the photographer was mad about it and that he reported her account for a copyright infringement. She forgot to ask permission before sharing the photo on her Insta.

Apparently, if she didn’t react quickly (within 24 hours), her account would get deleted! She has more than 31.500 followers and worked quite hard for it. As a freelancer it’s also her portfolio. She decided to quickly click on the link in the direct message, and to reply to the alleged infringement. An Instagram login screen appeared, which she filled in. Afterwards, nothing happened. Loes replied back via Instagram:

A few minutes after she clicked on the link, someone changed her Instagram password and also configured two-factor authentication. Loes was now completely locked out of her account!

Another Dutch celebrity got hacked by the same hacker

The next day, another Dutch celebrity (that wants to remain anonymous) contacted me. Her Instagram account with more than 75.000 followers was hacked also. Via the same copyright infringement phishing scam. She managed to quickly get her account back, because she knows someone who knows someone that works at Instagram. I performed a quick forensic investigation on her recovered account.

Forensic investigation on hacked Instagram account

When Instagram restores the ownership of a hacked account to the legitimate owner, it only resets the password, removes two-factor authentication – if it’s configured – and restores the e-mail address – if it was changed – to the legitimate owner. Everything else will be kept in intact. From a forensic perspective this is excellent.

Hack starts with an initial fake account

The phishing message sent to the two Dutch celebrities originated from account copyrightresupport, which impersonates an Instagram Help Team:

Via this fake account, with 75.700 fake followers, automated copyright infringement messages were sent to thousands of other accounts. Each message contained a link to a fake Instagram login screen. If people filled in that form, and didn’t have two-factor authentication enabled, their account would get hacked.

Hacked accounts will try to hack other accounts (like a virus)

If a hacked account is a verified account, there is a good change that the hackers will use that verified account to continue sending automated copyright infringement messages to other accounts. This happened with the two accounts I investigated:

Example of a hacked verified account.
  1. The hacked account is immediately set to private mode to make the account look more like an official Instagram account. Images are now only shown to registered followers of the account.
  2. The profile picture is changed to an Instagram logo.
  3. The bio of the profile is updated.

The hacked account I investigated sent out 2,018 invites in 51 hours to other accounts with which it wasn’t connected yet. Those messages were exactly the same, and it was the same message as shown in the beginning of this article.

Only the website address (URL) was different. Hackers change the domain name of a phishing website almost every day, as it quickly gets flagged by victims as a phishing website. Browsers and anti-virus products will warn users when they visit a known suspected phishing site.

33 celebrities with an average of 700K followers hacked in 51 hours

From those 2,018 invites, 33 accounts probably got hacked. I wrote a PHP script that filtered out all the 2,018 profiles that were set to private:

The account with the least amount of followers is 41,300. That’s even more than Loes’ account! In total these 33 accounts have 22,837,100 followers (!). The average follower count was 692,033. Wow! This scam is targeting high profile celebrities, and is very successful at it!

After 5,5 weeks, 16 accounts are still compromised

I think it’s very likely these accounts are hacked, as accounts with that much followers are (almost) never set to private. It’s now 5,5 weeks after these accounts were confronted with the copyright infringement phishing scam. The following 16 accounts are still compromised. 15 accounts are set to private and 1 account is deleted:

Hacked account starts following fake accounts

Apart from continuing the copyright infringement scam, the hacked account also starts following obvious fake Instagram accounts, such as ‘lparalyzedxs‘ with 47,800 followers and creepy images:

This fake account is followed by the following verified accounts, who were/are all probably hacked:

UsernameFollowers
elijahoffiziell19,700
svenschim994
erik.schweickert885
kri_luna213,000
radio_radicale15,800
biologique_recherche181,000
dollphacemusic81,200
lydialassila28,000
powerpaola66,200
sewardandrew5,383
rick_devens (private)35,400
johnsonville17,500
ronen_manelis576
fersalem10,700
rutuja.junnarkar151,000
springfreetrampoline_au12,800
miquelangel.lr14,000
manscatradio640
yolandabecooler14,200
enriquearceactor1,000,000
cocositoverde6,939
agirensemble_an (private)197
indigotrend.baby.kids.teen79,500
o.atilgan83,666
Example of verified accounts that got hacked and followed a fake account.

Another obivous fake account with almost the same name, lparalyzedsxl, has 291,000 followers and 0 images:

Why would a hacked account start following fake accounts? Probably because this wil legitimate the fake accounts. If normal accounts start following fake accounts, those fake accounts doesn’t look that fake anymore to Instagram’s fake account detection algorithms!

Hacked account gets new followers from fake and other hacked accounts

I observed that the hacked accounts will get new followers from fake accounts, but more interesting: the hacked account starts getting new followers of other hacked accounts as well, such as:

It looks like the actor behind this massive hack is building up a network of high profile hacked accounts, and intertwine those with fake accounts. Some of those hacked accounts will after some time be returned to the original owner by Instagram, so the ultimate goal seems to be to strengthen the fake accounts so they’ll not get deleted that easily by Instagram.

Hacked account starts replying to other people’s posts

Loes’ and other hacked verified accounts all commented the same message on a post from fake account lparalyzedxs:

Hacked accounts starts saving posts from other influencers

The hacked account had saved (sort of like/favorite functionality) the following posts:

URLUsernameAmount of followers
instagram.com/p/CK3VIlMrRy4misterr_alex240,000
instagram.com/p/CK4UXKeg2Bechernyak_yevgeny607,000
instagram.com/p/CK30m1SF56_doyanbaking835,000
instagram.com/p/CK1QLqTliicemmykosgei446,000
instagram.com/p/CK3QCwhgkcpprophetesmonicah70,600

My hypothesis is that these 5 influencers have paid an (unethical/criminal) social marketing company to artificially boost their popularity on Instagram. I don’t think these 5 influencers know that the company they probably hired is using hacked accounts for this purpose.

2,792 domain names were used for this scam

After a couple of days, a domain name that is used in a large scale automated phishing attack, will quickly get flagged as a phishing website. It’ll not work (as successfuly) anymore, and thus crooks have to register a new domain name to continue their attacks. It’ll also be much harder to perform a forensic investigation into who’s behind a phishing site if the used domain name is only used for a very short time.

I started looking in lists of reported phishing sites for domains names that were used in Instagram copyright infringement scams. To filter out all the related domain names, I created another PHP script. The result was that I found 2,792 domain names. That’s really a lot! This is quite some operation going on.

Via some additional tools (such as a HTTP proxy and crawler), I’ve confirmed that all those 2,792 phishing sites are offline now. As already said, the lifetime of a phishing site is very low.

Which domain name extensions are used a lot in phishing scams

I’ve made an overview of which domain name extensions (TLDs) were used in the 2,792 reported phishing sites:

TLDCount
.ml822
.com756
.cf509
.tk297
.ga155
.gq124
.xyz28
.org28
.net26
.online14
.info6
.site6
.support5
(other)16
All TLDs with more than 4 phishing domains linked

It’s not expensive for a criminal to change the domain name every day. Some domain names are free to register, such as those ending in: .tk / .ml / .ga / .cf / .gq

How much is already known about this scam?

It appears that the first reports from journalist about this scam originate from June 18, 2020. Mostly an article about a single celebrity that got hacked. Not a lot is written about the scam, and I couldn’t find any in-depth technical information about it. That motivated me to write this article, for other security researchers and victims that want to know what’s going on.

For references, the following articles I’ve found:

DateSiteTitle
2021-01-19lexology.comINSTA- FRAUD Instagram ‘Copyright Infringement’
2021-01-06indianexpress.comExplained: The Instagram ‘copyright infringement’ scam many have fallen prey to
2020-12-20informationng.comD’Banj’s Instagram Account Hacked
2020-12-20mynigeria.comD’Banj’s Instagram account hacked
2020-12-20gistmatters.comD’Banj’s Instagram Account Hacked
2020-12-17jazminemedia.comJo Byeong Gyus personal Instagram account hacked
2020-12-17juduo.ccTaarak Mehta Ka Ooltah Chashmah’s Jennifer Mistry Bansiwal’s Instagram Account Hacked
2020-12-08republicworld.comTaarak Mehta Ka Ooltah Chashmah’s Jennifer Mistry Bansiwal’s Instagram Account Hacked
2020-06-29petapixel.comThis Instagram Copyright Infringement Notice is a Phishing Scam
2020-06-29fstoppers.comWatch Out: Instagram Hackers Are Using Fake Copyright Notices to Trick People into Giving up Their Account Details
2020-06-18which.co.ukScam alert: Instagram ‘copyright violation’ message
unknownkashishworld.comBeware of Instagram’s New Copyright Phishing Scam!
unknownalvareztg.comInstagram Users: Fake Copyright Infringement Notices
unknownleonparenzo.comJo Byeong Gyu’s Personal Instagram Account Hacked

Did Loes get back her account?

Loes tried multiple times to contact Instagram via the formal procedure to get her hacked account back, but unfortunately (and as expected) couldn’t get any contact with Instagram. Together with Dutch Tv program Kassa, we created an item about the case to raise awareness about this phishing scam. After Kassa contacted an Instagram spokesperson for a statement, Loes got her account back very quickly. That’s very good news for Loes!

When she got back her account, I also performed a forensic investigation on her recovered account and saw that the same modus operandi was utilized as already written in this article.

How can you protect yourself against this scam?

  1. Always check the domain name of a link before you click on it, and before you fill in a password on a website.
  2. Enable two-factor authentication for all your important online accounts, such as your e-mail and social media accounts.
  3. Use a password manager, and configure unique passwords for each website.

For more advice to protect yourself against hackers, check the website WatchYourHack.com.

Sites that link to this article:

  1. BNNVARA.nl: ‘Hoe voorkom je dat jouw Instagram-account wordt gehackt?’
  2. Security.nl: ‘Populaire Instagram-accounts doelwit van ‘copyright’ phishingaanval’

About Sijmen Ruwhof

Independent IT Security Researcher / Ethical Hacker
This entry was posted in kassa, tv. Bookmark the permalink.