Apart from servers which exist in an IT infrastructure and other types of personal and confidential information/data, one of the other favored targets by the Cyber attacker appears to be social media sites.  One of the main reasons for this is that despite the claims of the likes of Facebook, Twitter, LinkedIn, etc. none of these social media sites have really upped the level of their security in order to keep their end users safe.

Just recently, I wrote a couple of blogs about how Twitter was impacted, and some of the corrective actions that they were going to take place.  I have a Twitter account, and I have seen none of these security upgrades yet.  Is this just all talk to quell the media from being exposed further?  Who knows.

Well, the next social media site to be hit and that has just made recent is Instagram.  For example, literally thousands of users reported experiencing that their accounts have been hijacked and personal details have been changed. Also, there are reports that other users were unexpectedly logged out of their accounts and their handles, avatars and bio details have been, altered, deleted or even tweaked.

When the users tried to reset their passwords, it was also discovered that the e-mail that was tied to their account ended with a “.ru” extension; meaning the e-mail possibly could now originate in Russia (perhaps suggesting Russian Cyber attackers?).

Interestingly enough, the Instagram subscribers that were impacted reported that there were no new posts created or older photos deleted from their hijacked accounts. Rather, the profile pictures of the  end users  were replaced with pictures or scenes from Disney or Pixar movies, which makes this hacking scheme all the more bizarre.

In fact, just in the past week, there were well over 900 complaints about Instagram being posted on other social media sites.  Probably the one that got the most attention was: “My account was hacked! Everything was reset so I can’t reset the password. It might have been disabled. Received an email to reset password but it goes to an error page. C’mon Instagram! Don’t leave us hanging like that! I want my account back!”  (SOURCE:  https://cyware.com/news/hundreds-of-instagram-users-locked-out-of-accounts-recovery-emails-changed-to-ru-addresses-43d1a7a7).

Except for the hijacking of the Instagram accounts, there seems to be no other damage that has been done.  As a result of this, many Cyber researchers are now believing that these actions by the Cyber attack group could be the telltale signs that they are creating and building a large-scale botnet from these hijacked accounts.

I think I may have written about botnets before, but essentially, they are grouping or collection of Internets based connected devices (which can include PCs, servers, and other forms of wireless devices) which literally form a platform in which to launch a large-scale Cyber-attack.  So theoretically, by gaining access to their Instagram accounts, the Cyber attackers also have access to the victim’s devices as well.

But, this attack on the Instagram accounts also is also indicative of a new trend, that of what is known as “SIM Hacking”. Essentially, this gives the Cyber attacker access to a victim’s phone number by tricking a customer service agent (such as that of Verizon, Sprint, T-Mobile, etc.) into reassigning a phone number to a new SIM card.

The Cyber attacker can then use the phone number, the usual account recovery, as well as the SMS-based 2FA processes to reset literally any other social media account as well. This method could also be used to hijack authentication codes for banking transactions, if the financial institution has not implemented the proper security protocols.

However, just because the emails (as described previously) ends with the domain “.ru” doesn’t necessarily mean that the Cyber attack group originates from Russia: “Email addresses are easily spoofed, either to conceal identity or to encourage finger-pointing toward the wrong place.”  (SOURCE:  https://cyware.com/news/hundreds-of-instagram-users-locked-out-of-accounts-recovery-emails-changed-to-ru-addresses-43d1a7a7).

On the flip side, Instagram has supposedly notified the media that it is working on the issue, and are trying to recover the hijacked accounts as well.  Also, they claim that they are currently working on stronger levels of 2FA, which does not make use of the end user’s phone number as a means of authentication.  So, this brings up a point I have made before . . . .

Yes, Two Factor Authentication, or 2FA, is deemed to be a secure means of logging into something, primarily because it offers two layers of security (thus its name).  But as I have said repeatedly, the way it used is very poor.  When organizations such as social media sites use this approach, they very often use the weakest forms of credentials in order to authenticate an individual, such as the case with Instagram, by using a phone number.

2FA is a good methodology to use, but the credentials that are used in it must change.  One way this can be done is instead of using a phone number or a password, use the Challenge/Response approach, along with a Biometric modality, such as that of Fingerprint Recognition.  This will make for a much more robust multi-layer security approach.

So, Facebook, Twitter, Linked In, Instagram, and who ever else out there, I hope that you do modernize your approaches to using 2FA.  But just don’t say it, actually do something about it!!!

Also, to those Instagram users whom have been impacted, don’t give up on resetting your account.  Eventually it will reset, but if you just give up on it in the lack of hope of anything working out, your account will become idle, and thus, it will be used to make the botnet even larger. In a worst-case scenario, just delete or deactivate your account.