Account hijacking has become a nettlesome problem at Instagram so it has decided to do something about it. The social media company on Monday said it has begun testing a simpler method for users to reclaim their compromised accounts.
The move, first reported by Motherboard, allows users locked out of their hacked accounts to ask for a six-digit code to be sent to the email address or phone number originally used to open the account.
The company also has taken steps to address the issue of user name theft. After hijacking an account and changing its settings to lock out its owner, some hackers will try to sell its name. Short, unique user names can sell online for US$500 to $5,000, according to Motherboard.
To curb that practice, Instagram will bar the transfer of a user name for an unspecified time after changes are made to an account.
It’s not known when the six-digit reset feature will be available throughout Instagram, but the lockdown addition is already available to Android and iOS users.
Turning Accounts Into Cash
Selling user names isn’t the only way criminals can turn hijacked Instagram accounts into cash. They can also monetize the account credentials by selling them to other hackers, noted Rick McElroy, head of security strategy at Carbon Black, an endpoint security company in Waltham, Mass.
“They can also extort the owner into paying to release the account,” he told TechNewsWorld. In addition, “they can blackmail the affected person based on material found in the account, and phish other people connected to the account.”
Attacks on Instagram accounts aren’t always launched by strangers, either.
“Targeted attacks are also common against people the attacker knows,” said Jonathan Tanner, senior security researcher at Barracuda Networks, a security and storage solutions company based in Campbell, Calif.
“In those cases, the motivation may be information, ‘Is my girlfriend or boyfriend cheating on me?’ or revenge, ‘my girlfriend or boyfriend cheated on me, so I’m going to hijack their account and embarrass them,'” he told TechNewsWorld.
Political motives also spur some account hijacking, especially with influencers in countries where freedom of speech is not respected, observed Mounir Hahad, head of the threat lab for Juniper Networks, a network security and performance company based in Sunnyvale, Calif.
“Accounts can be taken over, sometimes illegally by force, to sway the message just enough to change the narrative about an upcoming election or a public protest,” he told TechNewsWorld.
“Much of this problem stems from the implicit trust we place on posts coming from the people we follow,” said John Shier, senior security advisor at Sophos, a network security and threat management company based in the U.K.
“You shouldn’t trust everything you see on social media,” he told TechNewsWorld.
Hijackers Undeterred
Although Instagram’s action makes it easier to recover a compromised account, its impact on hijacking remains to be seen.
“These measures only make it somewhat less stressful to recover a hijacked account and will not do much to curb the hijacking attempts,” maintained Juniper’s Hahad.
He pointed out, “If the attacker is sophisticated enough and has compromised an original email address used to create the Instagram account, then it may still be difficult to regain control of the account, even with the new measures in place.”
Some criminals may be dissuaded from hijacking Instagram accounts, but the practice will continue, noted Sophos’ Shier.
“Criminals don’t need much time to benefit from an account hijack. If their purpose is simply to spread malicious or fraudulent links, the compromise of a prominent celebrity’s account is all it would take,” he explained. “Thousands of followers would likely see the link and click on it before the compromise was noticed.”
Instagram’s account recovery solution is just a short-term fix — stronger solutions are needed to address future attacks, according to Will LaSala, director of security solutions at OneSpan, an authentication and fraud analysis company in Chicago.
“Stronger solutions force the application to properly identify the risk associated with the request and then to enforce stronger methods of authentication when a high risk is detected,” he told TechNewsWorld.
“This type of intelligent authentication can help users by ensuring only the strongest authentication methods are used by the user and only when the user needs them the most,” he said.
Rampant Problem
Account hijacking has been going on for more than a decade, said Byron Rashed, vice president of marketing at Centripetal Networks, a network security company in Herndon, Virginia.
“At first, it was a challenge by script kiddies, but then it became a business when threat actors discovered how valuable these accounts can be,” he told TechNewsWorld. “Many accounts can have valuable personal identifying information that can be sold and traded in the underground economy to fully monetize the exfiltrated accounts.”
Account hijacking is widespread online, noted Carbon Black’s McElroy.
“It will continue to be a growing area of concern for highly visible individuals. Criminals either want money to release the accounts or blackmail the user about pictures and other sensitive content found in cloud storage,” he added.
“Account hijacking … across all sites is quite rampant,” added Barracuda’s Tanner.
He noted that hijacking is fueled by the massive amount of information stolen in data breaches. Hackers can use tools that incorporate breach data to facilitate their hijacking activities.
Those products make a configuration file for a site that specifies how the login process works, what list of email and password combinations to try, and includes a list of proxy IPs to use so that IP-based protections won’t be as effective.
Password theft is often viewed as a consumer problem, but it can also significantly impact a business, maintains Rami Essaid, cofounder of Distil Networks, a website security firm in Arlington, Va.
“Password dumps create a ripple effect as organizations spend precious time and resources on damage control,” he told TechNewsWorld.
“There’s a massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lockout for the real user, then the customer service calls to regain access to their account,” Essaid said, “all because a username and password was stolen from a different website.”