By John P. Mello Jr.
Jun 18, 2019 10:42 AM PT
Account hijacking has become a nettlesome problem at Instagram so it has decided to do something about it. The social media company on Monday said it has begun testing a simpler method for users to reclaim their compromised accounts.
The move, first reported by Motherboard, allows users locked out of their hacked accounts to ask for a six-digit code to be sent to the email address or phone number originally used to open the account.
The company also has taken steps to address the issue of user name theft. After hijacking an account and changing its settings to lock out its owner, some hackers will try to sell its name. Short, unique user names can sell online for US$500 to $5,000, according to Motherboard.
To curb that practice, Instagram will bar the transfer of a user name for an unspecified time after changes are made to an account.
It’s not known when the six-digit reset feature will be available throughout Instagram, but the lockdown addition already is available to Android and iOS users.
Turning Accounts Into Cash
Selling user names isn’t the only way criminals can turn hijacked Instagram accounts into cash. They can monetize the credentials for the account by selling them to other hackers, for example, noted Rick McElroy, head of security strategy at
Carbon Black, an endpoint security company in Waltham. Massachusetts.
“They can also extort the owner into paying to release the account,” he told TechNewsWorld. In addition, “they can blackmail the affected person based on material found in the account, and phish other people connected to the account.”
Attacks on Instagram accounts aren’t always launched by strangers, either.
“Targeted attacks are also common against people the attacker knows,” said Jonathan Tanner, senior security researcher at
Barracuda Networks, a security and storage solutions company based in Campbell, California.
“In those cases the motivation may be information, ‘is my girlfriend or boyfriend cheating on me?’ or revenge, ‘my girlfriend or boyfriend cheated on me so I’m going to hijack their account and embarrass them,'” he told TechNewsWorld.
Political motives also spur some account hijacking, especially with influencers in countries where freedom of speech is not respected, observed Mounir Hahad, head of the threat lab for
a network security and performance company based in Sunnyvale, California.
“Accounts can be taken over, sometimes illegally by force, to sway the message just enough to change the narrative about an upcoming election or a public protest,” he told TechNewsWorld.
“Much of this problem stems from the implicit trust we place on posts coming from the people we follow,” said John Shier, senior security advisor at
Sophos, a network security and threat management company based in the UK.
“You shouldn’t trust everything you see on social media,” he told TechNewsWorld.
Although Instagram’s action makes it easier to recover a compromised account, its impact on hijacking remains to be seen.
“These measures only make it somewhat less stressful to recover a hijacked account and will not do much to curb the hijacking attempts,” maintained Juniper’s Hahad.
“If the attacker is sophisticated enough and has compromised an original email address used to create the Instagram account, then it may still be difficult to regain control of the account, even with the new measures in place,” he pointed out.
Some criminals may be dissuaded from hijacking Instagram accounts, but the practice will continue, noted Sophos‘ Shier.
“Criminals don’t need much time to benefit from an account hijack. If their purpose is simply to spread malicious or fraudulent links, the compromise of a prominent celebrity’s account is all it would take,” he explained. “Thousands of followers would likely see the link and click on it before the compromise was noticed.”
Instagram’s account recovery solution is just a short-term fix — stronger solutions are needed to address future attacks, according to Will LaSala, director of security solutions at
OneSpan, an authentication and fraud analysis company in Chicago.
“Stronger solutions force the application to properly identify the risk associated with the request and then to enforce stronger methods of authentication when a high risk is detected,” he told TechNewsWorld.
“This type of intelligent authentication can help users by ensuring only the strongest authentication methods are used by the user and only when the user needs them the most,” he said.
Account hijacking has been going on for more than a decade, said Byron Rashed, vice president of marketing at
Centripetal Networks, a network security company in Herndon, Virginia.
“At first, it was a challenge by script kiddies, but then it became a business when threat actors discovered how valuable these accounts can be,” he told TechNewsWorld. “Many accounts can have valuable personal identifying information that can be sold and traded in the underground economy to fully monetize the exfiltrated accounts.”
Account hijacking is widespread online, noted Carbon Black’s McElroy.
“It will continue to be a growing area of concern for highly visible individuals. Criminals either want money to release the accounts or blackmail the user about pictures and other sensitive content found in cloud storage,” he added.
“Account hijacking … across all sites is quite rampant,” added Barracuda’s Tanner.
Hijacking is fueled by the massive amount of information stolen in data breaches, he noted. There are tools hackers can use that incorporate breach data to facilitate their hijacking activities.
Those products make a configuration file for a site that specifies how the login process works, what list of email and password combinations to try, and includes a list of proxy IPs to use so that IP-based protections won’t be as effective.
Password theft is framed as a consumer problem, but it can have a significant impact on a business, too, maintained Rami Essaid, cofounder of
Distil Networks, a website security firm in Arlington, Virginia.
“Password dumps create a ripple effect as organizations spend precious time and resources on damage control,” he told TechNewsWorld.
“There’s a massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lockout for the real user, then the customer service calls to regain access to their account,” Essaid said, “all because a username and password was stolen from a different website.”