Instagram’s memorialize feature abused to memorialize…Instagram’s boss

2021-11-15T12:16:11
ID MALWAREBYTES:0513375B3174A60AB4D989223CB87AE4
Type malwarebytes
Reporter Christopher Boyd
Modified 2021-11-15T12:16:11

Description

The mechanisms for memorialising the social network accounts of people who’ve died haven’t really suffered a lot of scrutiny up until now. I’ve done a fair amount of research on the processes and perils we face in the digitally deceased age.

Traditionally, the biggest issues in this space tended to be surprise returns from the beyond. When someone is definitely dead but their accounts spring back into action, it can be incredibly disturbing for their loved ones.

This happens by accident, or deliberately. Sometimes a relative with access to the account of the departed starts tweeting, or accidentally posts a message. Other times, the account is compromised and used to spam, or just troll.

A combination of weak security and the possibility of continued access to an account allows for this to happen.

What you may not be expecting, is for the process to happen in reverse.

When reports of your demise are rather premature…

What if you’re able to convince a platform that someone who is alive and well has actually passed on?

This issue has faced multiple individuals over the past month, but the tale has an additional twist: In this specific case, we don’t have a regular social media user finding out a random platform thinks they’ve died. We have the head of Instagram locked out of their own Instagram account, because somebody exploited its memorialisation feature.

Well, I promised you a twist.

What is Instagram’s memorialization feature?

Instagram's memorialization feature is a way to preserve the digital legacy of a user for friends and family. As per Instagram's FAQ page:

Memorialized accounts are a place to remember someone’s life after they’ve passed away. Memorialized accounts on Instagram have the following key features:

  • No one can log into a memorialized account.
  • The word Remembering will be shown next to the person’s name on their profile.
  • Posts the deceased person shared, including photos and videos, stay on Instagram and are visible to the audience they were shared with.
  • Memorialized accounts don’t appear in certain places on Instagram, like Explore.

Once memorialized, no one will be able to make changes to any of the account's existing posts or information. This means no changes to the following:

  • Photos or videos added by the person to their profile.
  • Comments on posts shared by the person to their profile.
  • Privacy settings of their profile.
  • The current profile photo, followers or people the person follows.

This is one of the more strict, locked down approaches I’ve seen in this realm. Some sites allow people to continue posting, or make updates. This is particularly the case if the deceased is a known public figure, or the spokesperson for a person, charity or other organisation. In those cases, a close relative may be allowed to continue posting. That isn’t the case here, and the account is indeed memorialised in every sense of the word.

Checks and balances

Instagram doesn’t mention what checks it makes to ensure nothing suspicious takes place, but it does say it has fewer people available to review memorialization reports due to COVID. It’s possible this also impacted what happened next.

Fake memorial pages aren’t a new phenomenon. Convincing someone at an organisation that their reasonably public-facing boss is dead, feels a bit fresher.

This is the situation Adam Mosseri found himself in after a scammer convinced Instagram support that Mosseri was dead. All it took was a fake memorial, easily thrown together online or via the DIY route. As Instagram requires a death certificate or an obituary/news article, the latter was all it took to ease the scam through in September of this year.

The reports on this don't say how long he was locked out for, except that it was resolved "quickly".

For unverified, regular users, the person behind these tactics doesn’t even need to whip up a fake notice. They simply grab a recent genuine online obituary of somebody with the same name. As long as the obituary is from the same week as the bogus memorialization request, “98%” of the time it goes through within one to two days.

Paying the piper

This tactic does of course involve money, with “most requests” coming from paying customers. We don't know if this particular incident was a paid request or just a way to make the tactic more visible. Getting people banned from services is another trick which was popular back in the days of Myspace, and it remains so to this day.

Discovering a contact online has died is a profound shock. If someone manages to switch an account to some form of memorial page, the impact is immediate for both people who see it and the person themselves.

Tightening up the process?

It’s possible services may have to become a little more strict about the evidence required for memorializing accounts. Perhaps more pieces of evidence, or genuine links online which corroborate the request. Of course, asking for specific services as proof only will likely exclude many people. What if those services are only available in certain regions? How about the cost…will folks be priced out in this new digital world of verified death?

It remains to be seen, but this story is a good reminder that scammers will target absolutely anything they can to get the job done. It’s up to the services we use to find new ways to be ever more vigilant and keep our digital identities ticking over for the time being.

The post Instagram's memorialize feature abused to memorialize…Instagram's boss appeared first on Malwarebytes Labs.