When someone finds their social media account compromised, they first think about letting their followers know. And they do. They warn others from reading any strange posts, usually containing a rogue link, before they sort out the matter behind the scenes.
Some curious followers who missed these posts backtrack the feed—only to find that nothing appears out of place. So where are they?
Clever attackers are using platform functionality to appear invisible. This way, the chances of catching them are small. Apart from the victims themselves, nobody may realize that something dubious was in full view of everybody in the first place.
Here’s a hijacked Instagram page.
Well, you know what they say about cakes…
Despite warnings by the account owner to avoid being ripped off by whoever took over their account, the page looks absolutely, positively normal.
Warning from the panic-stricken account owner posted on Facebook. But there doesn't seem to be cause for panic.
Instagram page is still hacked!! This is not me ..... I do not have a spare £150 to give to 5 winners unfortunately........ If you reply you will be messaging some {redacted}. please just report the account if you can and you're on my instagram page. Instagram are sorting it although very slowly!!!
There are no odd links in the Bio; the photographs are untouched; the user name hasn’t been changed to anything peculiar. The page itself is acting as it should.
So what is the problem here?
Instagram has a feature called Stories, first introduced in 2016. It's a quick and easy way to upload zinger-style posts, short clips, or anything else that's supposed to be a passing thought. Stories only last for 24 hours and then self-delete.
A Story is designed to be evanescent—don't log on to Instagram for 24 hours and you'll miss it entirely.
As a result, people with bad intentions often hide their bogus postings in the Stories section instead of putting them directly onto the Instagram grid. This has a couple of advantages for the account hijacker:
Let’s go back to the Instagram page we were looking at previously.
Ignore the well-done cakes, and instead, let’s click the profile's Stories.
The scam hidden in plain sight
Everyone is getting this wrong... an ex policeman...lost his house, his car, and his girlfriend, what did he lose first???!! The winner get £150. Need just 5 winners.
This post is only visible for a few seconds, sandwiched between other Story images on the user's "roll." I do love a good riddle and decided to try my luck.
“Send your PayPal or bank details,” they say.
At this point, we dropped communications and reported the account.
Sending this person your PayPal or phone number will undoubtedly not end there. If your email address isn't secure, they could try and compromise and gain control of associated accounts. They could send you funds that may be stolen or try to tie you up in money mule scams.
Handing a stranger your bank details could land you in a similar situation. There's always the risk of follow-up questions aimed at revealing more than you bargained for. Enough information provided could result in bogus direct debits. This also doesn’t exclude the possibility of them asking for credit card information at some point.
Next time you see a friend or stranger mention that their Instagram page has been hijacked, you’ll know exactly where to look if you can't readily see the evidence.
Stay safe out there!
The post Warning! Instagram Stories hides a scam in plain sight appeared first on Malwarebytes Labs.