The Facebook and Instagram apps are seen on the screen of an iPhone on Oct. 4, 2021. (Photo Illustration by Justin Sullivan/Getty Images)

Researchers on Tuesday reported on a phishing campaign that hijacks corporate Instagram accounts along with the accounts of influencers who have a large number of followers. The threat actors then extort ransom payments from the victims, or if the account holders refuse to pay, the threat actors would then sell the accounts on the dark web, an activity that continues on as of today.

In a blog post by Secureworks, the researchers said after the threat actors gain control of an Instagram account, they change the password and user name. The modified user name is a variation of “pharabenfarway” followed by a number that appears to be the number of followers for the hijacked account.

The researchers said the threat actors then add a comment to the profile that says: “this Instagram account is held to be sold back to its owner. The comment includes a link composed of a shortened WhatsApp domain (wa.me) and a contact number. When the victim clicks on the link it opens a WhatsApp chat conversation prompt with the threat actors, who also contact the victim via text at the phone number listed on the account. They then start negotiating a ransom in exchange for access to the account.

The Secureworks researchers identified numerous Instagram accounts compromised by “pharabenfarway,” an indication that the campaign has become widespread. According to the researchers, based on the domain creation dates, the campaign likely started in August 2021. A September underground forum post references “pharabenfarway” and advertises hijacked Instagram accounts for up to $40,000.

Like so many other phishing attacks, this one is brilliant in its simplicity, said Erich Kron, security awareness advocate at KnowBe4. Kron said by leveraging fear of a copyright infringement claim, something that can be a significant legal burden and a potentially costly issue, the attackers force a knee-jerk reaction by the victim.

“While in this heightened emotional state, the potential victims are likely to forget to check the URL that the link has taken them to, instead blindly entering credentials,” Kron said. “This emotional manipulation is what makes phishing and social engineering attacks so successful. Given the value of influencer social media accounts, and the time, effort and cost it would take to create a new account and reclaim followers and a verified or trusted status, the victims are likely to pay to recover the account.” 

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, added that the popularity of social media has made it a primary communications platform for many organizations. Clements said having a social media account hijacked by a cybercriminal is at best embarrassing and at worst can cause significant reputational harm. 

“An account taken over that makes embarrassing posts can be funny, but there’s also a danger of real harm if the attackers posts are more malicious,” Clements said. “Any organization wishing to protect itself should take steps to ensure that their online presence is secured from compromise by following best practices of taking steps to be officially verified if the social media platform offers it, choosing a strong password for the account that's not used for any other purpose in the organization, and enabling non-SMS based multifactor authentication."