Nowadays more and more part of our lives have moved online. This is changing in many ways how society interacts and operates on a daily basis.
This also represent a broader area of attack for malicious actors who try to take advantage and exploit everything they can for personal reasons. Attack techniques can come in many forms, have different impact and goals.
Today article will be about a scam I have seen taking place on Instagram last weekend. The technique is not something extraordinary, but it was good enough to get me out of the comfort zone and try something new, like writing cyber security posts in my spare time to increase people awareness, more about this here: https://coffeesploit.medium.com/why-2d24b8cd97e8
It all started on Friday while I was attending CactusCon, I made a few new connections to the event and a couple of new follow requests on Instagram didn’t seem out of the ordinary, even if two of the new followers I have not met them at convention. I have quickly screened the profiles to check if the accounts are bots or not. But the presence of several posts, and oldest dating from 2017, proved some legitimacy in my eyes.
Bait is ready
The next day when I checked my feed, surprise, the new unknown characters had 2 identical stories in which they presented the opening of a new business and that in exchange of a prompt answer on a visual test, first “Y” of users who reply the right answer, an amount “X” of money will be offered as reward. That’s when I decided to put on my vigilante cape and see if I could hack back the hacker or at least gather enough evidence to be able to report the account for scamming purposes.
This type of social engineering attack exploits multiple weaknesses. First of all, it targets the category of people who are in desperate need of money and who are likely to be more easily fooled by such techniques, due to the stress caused by lack of money. Followed by the sense of urgency, which is generated by the fact that this opportunity can be missed if you are not among the first “Y” users to respond back. To which if you add a small challenge that seems to not be easily passed by everyone, all the elements combined make the post a decent bait.
And the game begins…
I have replied back with the expected answer and it did not take long and for the attacker was prompt congratulating me and asking for my CashApp tag. Nothing weird so far, the tag alone is not enough to compromise user CashApp account. To login into CashApp you need to introduce your phone number or email address as user id, and a security code received via phone or email (based on user preferences) as a password.
“Send me your mobile number”
After sending cashApp tag the impatient scammer ask for my mobile number, to get my verified for the giveaway. This is should be a big enough warning sign for anyone to leave the conversation and block the account. In my scenario because I wanted to dance a little bit longer, I have used https://randommer.io/Phone, to generate a fake phone number and played along the script.
The fake number did not raise any concerns and the next stage of the scheme begins. The bad actor provides a “giveaway email address” and ask me to replace the email address responsible for password reset or account recovery with this one, as the next step required for “giveaway verification process”. Changing the email field value with Giveawayv469@gmail.com, is like offering my keys to my Instragram account. If the scammer requests a password reset, the password recovery link will be sent to Giveawayv469@gmail.com and guess who is managing that gmail address…
If you only use Instagram on mobile devices, there is no way to update the shown email address in profile settings without really changing it…
Should we stop here then?
No way!!! Full disclaimer, whenever you want to play vigilante and hack back a hacker, you should always take some safety measures before:
- use a virtual machine
- use a virtual private network
These are the bare minimum actions you could perform to cover your tracks to a certain degree.
After launching my ParrotOS virtual machine and turning on the NordVPN I have logged into Instagram via web browser. At this point, my target is to get the hacker relaxed and bait him into revealing enough information to track him down or at least enough evidence for a scam report. I used my special hacker super power called “Inspect Element” and changed the appearance of my profile settings to look like I bit the bait ( phone number was also updated with the fake one provided).
The moment of truth
Photo of the updated profile was sent and conversation continued. The scammer kindly let me know that the verification process is ongoing and after several minutes asked me if I have received my promised payment. Indeed, I have got something, just an alert in Gmail inbox that someone tried to reset my Instagram password…
I have gathered enough information so far to file in a report to block this account,but my next objective is to lure the attacker to provide more data about him. I have played dumb and replied back to him that I have received a link from CashApp and asked him if this link was regarding the payment..
Grabify IP Logger
Grabify is a special tool that you can use to generate special tracking URLs. You can insert any URL there ( I have used the https://www.instagram.com) and two new links will be created. First link represent the one you want to share with the attacker to click for gathering additional information and the second link is for you to track all the users who clicked the link with the data collected from them. Collecting the IP (scenario when attacker is not covering his tracks) you are pretty much able to locate the attacker position and if he is not connected to a public network, you can also track his hideout and later his identity.
Unfortunately, besides the Facebook bots, no one else accessed the link. I guess he realized that I have not changed my email address with the one provided, because his password reset attempt did not work as planned. Below you can see how the tracking page of the crafted URL looks and the data you could possible get from someone who access the link.
Most probably the original owners of the accounts who sent me following requests were compromised by a similar scam. Changing their password recovery email addresses with the ones sent by the bad actor, the girls unwilling gave up on the ownership of the accounts.
Having enough proofs collected , I have visited the Instagram page what provides guidelines on how to report a post or an abuse( https://help.instagram.com/192435014247952). I was really disappointing finding out that you are only able to report a scam without any additional details. From now on the situation is entirely in the hands of the platform.
A week later since I have reported the scam, the account is still on, showing how dedicated, efficient and prompt is Instagram dealing with these kind of frauds.
Technology will undoubtedly evolve further as well as social engineering maneuvers through which scammers can exploit human emotional weaknesses.
The best thing we can do is stay alert and to try increasing other security awareness if is it possible. More informed people means fewer successful scam attempts, which we hope will eventually lead to a more secure digital world for everybody.