Opinion Tuesday #2: Teens Hack Big Instagram Accounts and Earn Thousands of Euros

Teens Hack Big Instagram Accounts and Earn Thousands of Euros

Opinion Tuesday #2: Teens Hack Big Instagram Accounts and Earn Thousands of Euros

Hello again, fellow hackers! It's Tuesday again, so it's time for some interesting cybernews and opinions! Today, we're discussing a very interesting hack:

The Event

Dutch police claims they arrested 2 teens for hacking into key Instagram accounts with many followers, which they exploited to make tens of thousands of euros.

The 18 and 19 year old males accomplished this hack using "phishing", which is gaining a lot of popularity amongst the black hats right now.

The teens sent an email to the Instagram users, and made them login through their email. However, they didn't log in to Instagram, but instead they logged into a fake webpage set up by the young hackers. This allowed them to intercept their passwords with ease!

After they took over the accounts, they approached companies to advertise on their hacked Instagram accounts. As the accounts they took over had many followers, the companies of course didn't hesitate. The companies were probably not aware that they were dealing with hackers.

Source: http://www.scmagazineuk.com/teens-arrested-for-hacking-hundreds-of-key-instagram-users/article/483188/

Phoenix750's Opinion

Well, it is widely known that Instagram has had many problems regarding their security. The perfect example of that is the tool called InstaBrute. I believe that tool is still working, even if it was made a long time ago!

But as highlighted in the article, the main vulnerability this time exploited was ignorance of the users.

First of all, they didn't have 2 factor authentication enabled, which made it a lot easier for the young hackers.

Second, they also fell for an email that was not by Instagram. They should've checked the source of the email and the URL of the webpage more correctly.

I honestly think this attack once again shows us that the main vulnerability in a computer system isn't in a computer itself, but in the mind of it's operator.

This attack only highlights the power of social engineering.

But what do you guys think? Let me know! Start discussing!

-Phoenix750

27 Comments

Yes. It's back. Probably my favourite weekly discussion topic on Null-Byte :P

Those hackers will probably will get punishments way over what I'd call acceptable, but that is not the topic of this discussion thread, right?

So, to the topic:
Social Engineering is becoming the key skill to gain unauthorized access. To loosely quote Mr.Robot:
"How to you hack something that has no security flaws?"
[Referring to persons on a photo]: "I see about 6."
(Totally messed that up :D )

But this is EXACTLY what cyber security is at the moment. You could spend months searching for a zero-day, exploit it and deliver a payload.

OR you could find the most tech-unsavvy person linked to your target and you can get in in a maximum of a few hours (days, in a very few cases).

People need to know. We could try teaching basics of information security at schools, but I bet you that at least 50% won't even give a single fuck.

So I think that the majority of people will stay insecure, ignorant to digital threats.

But what needs to happen and almost certainly will happen in the future is that companies will send their employees to courses about basic information security, where they learn what phishing is, how easy it is to perform wordlist-attacks on passwords consisting only of real words and how Two-Factor-Authentication can benefit information security.

Then at least corporate data will be a bit more secured than it is today.
As for personal data: I see no light for the 99%.

Yes to everything you said. And yes to season 2 Mr. Robot.

I'm very surprised that a site like Instagram would have a reputation for poor security, user integrity should be among the top priorities for social media sites.

-Defalt

Sad thing is , if they used something like SET , which anyone can use It's legit just pressing 1-9 and typing a URL to do a phishing scam , anyone could of done this attack and gained access to these instagram accounts but in the end it really does come down to ignorance of the user.

Suggestion for the future: Cicada 3301

Cheers!

Thanks for the suggestion brother. Cicada 3301 looks very interesting, I will consider it.

-Phoenix750

I find this intriguing as well.
(just did a search, if I searched correctly, it is something to do with puzzles right?)

I always wonder how these hackers got caught, Is it because they didnt used any kind of spoofing, VPN, Proxy's ?
Or did they simply not care and just used ther own network without any hide tool on it?

It is never possible to remain completely hidden. The only thing you can do is make it harder for the forensic investigator.

As for this hack, we will probably never know. If our government agencies made it public how they caught hackers, hackers would adapt. The government obviously wants to prevent that.

-Phoenix750

Online News sources say they used bitcoins, which would mean in turn that they presumably tried to conceal their tracks with a proxy or VPN.

My guess is the Proxy service they used probably kept logs (most do) and rolled over on them without even blinking an eye. VPN Service "hide my ass" is notorious for that.

When it comes to phishing or using simple wordlists for password cracking... I have to constantly remind myself of how ignorant people really are with it comes to computers.

The user is the single point of failure. Why bother with the computer when you can convince a person to let you in?
Along with Sinister, I also want to know how they were caught...

And I can't wait to look at InstaBrute.

Lol. You know, as I looked at the source URL for the news article, for about half a second I considered the possibility that you set up a phishing attempt (BeEF hook) WITHIN a nullbyte post about phishing attempts (inception).

Just curious: what makes you think I'd want to set up a phishing page in the first place? xD

-Phoenix750

Nothing about your character, just thought it would be awesomely ironic.

Indeed it would.

-Phoenix750

There is nothing software and tech giant companies can do if the user is so careless. In a tech world where nothing is secure, it is important for people to pay attention to these minor details which others can easily exploit. Technology will get stronger and the only vulnerability left will be the users, who fail to take safety measures on their side.

A lot of people may be appalled at the hackers who pulled this off when they should be appalled at the way Instagram was providing their users security. I don't hate on black hats. I know what they're doing is illegal but on the flip side, many companies do illegal things with the information we provide and trust them to keep secret. They sell our private information to marketers. Why is it socially acceptable or overlooked when private companies do illegal and unethical stuff but everyone gets all outraged when individuals do it. People need to be exposed, that's my opinion. #CryMeARiver From a different perspective, is it really Instagrams fault that it's users fell victim to phishing attacks? Does Instragram have a duty to put up some type of warning informing people how not to fall victim? I'd argue they don't...

Read the terms and conditions of social media. You'll soon find out that you agreed that they can do whatever they want with your data. That bullshit is the reason that I don't have any social media except twitter. Their terms and conditions are a little more acceptable.

-Phoenix750

Hmm I did not know that about twitter vs the rest. Good to know. The thing that pisses me off about twitter though is that they care more about spamming than they do child porn. God forbid you tweet the same thing within 24 hours. They're real nazis about it. I have a ton of animal activist followers I used TweetAdder to keep informed but they've shut all that down. Meanwhile it's as easy to get child porn on twitter as it is an STD while on spring break at the Jersey Shore haha :P

Gah, they'll make Phishing as looked down upon as DDoSing.

true dat. but I'd argue what they did was way more legit than a lame dos attack. It was sorta brilliant actually.

Not that DDoSing is lame, that is, exploiting the functionality of networking protocols - kinda like SYN flood taking advantage of the three-way-handshake.

I can confirm that InstaBrute is still working.
Thanks for the article.

Ninja243

Share Your Thoughts

  • Hot
  • Latest