# Ransoms Demanded for Hijacked Instagram Accounts **[secureworks.com/blog/ransoms-demanded-for-hijacked-instagram-accounts](https://www.secureworks.com/blog/ransoms-demanded-for-hijacked-instagram-accounts)** Counter Threat Unit Research Team _An extensive phishing campaign has targeted corporate Instagram accounts since_ _approximately August 2021. The threat actors demand ransoms from the victims to restore_ _access. Tuesday, January 25, 2022 By: Counter Threat Unit Research Team_ Organizations typically focus on traditional enterprise cybersecurity threats. However, some threats are more subtle, targeting organizations on unexpected platforms. In October 2021, Secureworks® Counter Threat Unit™ (CTU) researchers identified a phishing campaign that ----- hijacks corporate Instagram accounts, as well as accounts of individual influencers who have a large number of followers. The threat actors then extort ransom payments from the victims. The activity continues as of this publication. ## Baiting the hook The phishing campaign begins with a message that purportedly originates from Instagram and alerts the victim to a potential copyright infringement issue (see Figure 1). The "Appeal As " link in the message is a shortened Bitly URL that resolves to an attacker-controlled phishing domain. _Figure 1. Fake Instagram notice about copyright infringement. (Source: Secureworks)_ The phishing site is customized to mimic the victim's Instagram account (see Figure 2). ----- _Figure 2. Fake Instagram page. (Source: Secureworks)_ ## Reeling in the phish When the victim checks the box indicating their objection, the "Go to Appeal Form" link becomes active. This link leads to a login screen (see Figure 3) that prompts for the victim's password. If the victim provides their password, the threat actors harvest the credentials and gain access to the account. ----- _Figure 3. Password harvesting from fake login page. (Source: Secureworks)_ ## Releasing the catch…for a price After gaining control of the Instagram account, the threat actors change the password and username. The modified username is a variation of "pharabenfarway" followed by a number that appears to be the number of followers for the hijacked account (see Figure 4). The threat actors add a comment to the profile that "this Instagram account is held to be sold back to its owner." The comment includes a link composed of a shortened WhatsApp domain (wa . me) and a contact number. Clicking the link opens a WhatsApp chat conversation prompt with the threat actors. The threat actors also contact the victim via text message at the phone number listed on the account and start negotiating a ransom in exchange for access to the account. ----- _Figure 4. Hijacked Instagram account. (Source: Secureworks)_ CTU™ researchers identified numerous Instagram accounts compromised by pharabenfarway, indicating this campaign is widespread. CTU analysis revealed a large list of domains used in the campaign. Based on the domain creation dates, the campaign likely started in August 2021. A September underground forum post references pharabenfarway and advertises hijacked Instagram accounts for up to $40,000 USD (see Figure 5). _Figure 5. Instagram accounts for sale on underground forum. (Source: Secureworks)_ ## Identifying the "phishermen" Analysis of one of the IP addresses that hosts several of the phishing domains led CTU researchers to the 'pbfy . business' website. This website appears to belong to Pharaben and Farway, the threat actors likely operating this campaign (see Figure 6). The threat actors self ----- identify as advanced experts in social media and hacking and provide their Instagram handles along with WhatsApp contact numbers. Pharaben's contact number uses a Russian country code, and Farway's uses a Turkish country code. _Figure 6. Pharaben & Farway website. (Source: Secureworks)_ In addition to the Turkish country code, other aspects of this campaign also suggest that at least one of the threat actors could be located in Turkey. In one incident, threat actor communications originated from a Turkish-language version of Instagram. Additionally, the page source of one of the phishing websites references the Turkish hizliresim . com filesharing service. The infrastructure associated with this campaign is based in Turkey and other countries. ## Conclusion Organizations should include social media accounts for the company and high-profile staff members in their risk assessment models. Mobile apps are a common attack vector. Use of multi-factor authentication can limit unauthorized access. While social media account takeover may seem insignificant, threat actors could access email accounts or other corporate resources if passwords were reused. Additionally, threat actors could abuse hijacked accounts to damage the organization's brand as further leverage to obtain a ransom payment. [Review the Emerging Cybersecurity Trends in 2022 report to learn about other threats that](https://view.secureworks.com/emerging-cybersecurity-trends-in-2022/p/1) organizations should consider. ## Threat indicators To mitigate exposure to this threat, CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The domains and IP addresses in the table may contain malicious content so consider the risks before opening them in a browser ----- **Indicator** **Type** **Context** 195.85.205.15 IP address Hosting Instagram phishing domains 198.38.86.93 IP address Hosting Instagram phishing domains 51.254.6.251 IP address Hosting Instagram phishing domains 78.135.85.92 IP address Hosting Instagram phishing domains ig-contactform.com Domain name Instagram phishing site ig-contactservices.com Domain name Instagram phishing site ig-copyrightsobjection.com Domain name Instagram phishing site ig-mailservices.com Domain name Instagram phishing site ig-mailservicesupport.com Domain name Instagram phishing site lg-supportservices.com Domain name Instagram phishing site objectionservices.org Domain name Instagram phishing site supportcomminity.com Domain name Instagram phishing site supportercontacts.com Domain name Instagram phishing site supporterviolation.com Domain name Instagram phishing site supportscommunity.com Domain name Instagram phishing site supportsnotification.com Domain name Instagram phishing site supportviolationform.com Domain name Instagram phishing site wfarway@gmail.com Email Address Threat actor contact information in Instagram phishing campaign +7 991 472 4452 Phone number Threat actor contact information in Instagram phishing campaign ----- **Indicator** **Type** **Context** +90 538 409 3777 Phone number Threat actor contact information in Instagram phishing campaign Pharaben Username Threat actor contact information in Instagram phishing campaign Farw4y Username Threat actor contact information in Instagram phishing campaign bc1qgpukcptnyfyejmalpqzzz0fwg2w727ur6r4fvf Cryptocurrency wallet ID _Table 1. Indicators for this threat._ Bitcoin account for Instagram phishing ransom payments -----