Most people would be surprised by how easy it is to scam people online using duplicate versions of public accounts, according to Jake Moore, a security specialist at ESET. Moore describes an experiment he ran on Instagram by creating a duplicate of his real Instagram account to see how many of his friends would trust the new account. The fake account had a very similar handle, and Moore screenshotted some pictures from his real Instagram account and uploaded them to the duplicate account. He also used the same bio, but added “NEW ACCOUNT AFTER LOSING ACCESS TO ORIGINAL.” He then sent follow requests to people who followed his real account.
“Within moments I had three private account owners accept my request and two followed me back,” Moore said. “This was a good start. I was expecting someone to contact me via a different communication method and question this request, particularly due to my line of work and the embarrassment that I could have been subjected to, understanding that even I am susceptible to an account compromise! But no one did. In fact, the numbers increased. Thirteen accounts followed me back on the same day and by the evening I decided to message these people and see what sort of responses I would receive.”
Eight of the thirteen contacts messaged him back, and Moore casually mentioned that in addition to having his Instagram account hacked, the hackers also cleaned out his bank account. At least one of his contacts offered to help him out, and Moore sent her a PayPal address (he revealed the ruse before she sent any money).
“What I found most disconcerting was how quickly it all escalated and I was able to trick the target into thinking it was genuine with no extra checks required,” he said. “I was even able to make her be the one to offer to help me which was a nice little twist. This is usually a clever technique used by professional social engineers reversing the psychology to avoid the request of the money.”
While it’s good to help out friends, the people in this case were prepared to send money based solely on the word of a new Instagram account. Many people have their Instagram accounts set to “public,” and scammers can easily set up duplicates and send messages to the person’s followers.
“It is vital to try to reduce the amount of personal information and photos of ourselves online where possible,” Moore explains. “Although this is a huge task, it is important to teach the next generation of social media users to try to limit the amount of information that is posted online before it is out in the open forever. This scam won’t work if accounts are private. Saying that, however, many people whose accounts are private still allow people they do not necessarily know to follow them due to minimal vetting. It is extremely important to think about what you post as well as accepting only followers you don’t mind knowing more about you. Being completely public has the potential of creating dangers such as this.”
Even if the real account of someone you know messages you and requests money, you should still be very suspicious and use a separate mode of communication such as a phone call to verify that they haven’t been hacked.
Moore’s experiment shows how easily scammers can exploit people’s charitable impulses. New-school security awareness training can give your employees a healthy sense of skepticism by enabling them to see things from a scammer’s point of view.
ESET has the story.