Group-IB, one of the global leaders in cybersecurity, headquartered in Singapore, uncovered a novel and extensive scam campaign targeting both Instagram and banking users in Indonesia, which aims to gain access to their bank accounts. As part of the ongoing brand-protection efforts, the company’s Digital Risk Protection unit identified more than 600 hijacked Instagram accounts used to spread phishing links to fake websites disguised as login pages of mobile banking applications for one of Indonesia’s leading financial institutions. Group-IB’s Digital Risk Protection solution, a module of the company’s Unified Risk Platform, unveiled and blocked over 1,000 affiliated fraudulent domains used to spread phishing content at the requests of the impersonated organization. As new domains appear regularly, the Group-IB team continues to monitor the infrastructure and block violations shortly after the detection. Users are advised to stay vigilant, use multi-factor authentication for their accounts, and treat with suspicion any pages that ask for their banking credentials or payment details.
Hostile Takeover
According to the Group-IB’s Asia-Pacific Digital Risk Protection team, a prolific multi-phase scheme has been active since at least September 2022. In the early stages, cybercriminals identify Instagram accounts with disabled multi-factor authentication. After obtaining access by brute-forcing their way in or by phishing the credentials, the fraudsters change the account email and activate 2FA to deprive a legitimate owner of access. By taking over legitimate Instagram profiles, the scammers ensure a wider reach, as the hijacked accounts have a considerable number of followers who might think that the content is trustworthy. Group-IB discovered one account belonging to a popular Indonesian football coach with over 23,000 followers compromised by the scammers as part of this campaign.
The scammers then rename the accounts to make them look like they belong to one of Indonesia’s leading financial institutions by using the organization’s trademark and its official logo as a profile picture. In some hijacked accounts, the scammers didn’t even bother to delete the contents of the previous owners. Group-IB analysts discovered and suspended all identified Instagram accounts involved in the scheme in coordination with the Instagram Intellectual Property Support Team.
“There is a good reason why scammers prefer Instagram. According to our findings presented at Group-IB’s Digital Risk Summit 2022, social media became the number one channel for the distribution of scams in the Asia Pacific in 2021. More than 75% of all scams analyzed by Group-IB were observed in social media. Instagram turned out to be the scammers’ favorite platform in APAC. It is easier to inspire trust in social media and visual content tends to resonate with people more.”
Digital Risk Protection Analyst in Indonesia, Group-IB
Snowball Scam
After changing the visual appearance of the profile, the scammers post phishing content impersonating a well-known Indonesian bank. The scammers’ end goal is to get the unsuspecting victims to visit a phishing website disguised as a mobile banking app login page, designed to steal their credentials. For this purpose, the fraudsters create multiple phishing domains. They register spoofed URLs that imitate legitimate ones to make them look more credible. Such websites are usually created and managed in bulk. Since September 2022, Group-IB Graph Network Analysis tools identified multiple groups of phishing domains, including a group with over 200 affiliated phishing resources aimed at banks and other financial institutions in Indonesia and other countries in the region. The vast majority of these websites were detected by the Unified Risk Platform and blocked by the Group-IB Digital Risk Protection team in Jakarta. New domains continue to appear daily, and Group-IB keeps monitoring the infrastructure and takes actions to eliminate the rogue links upon discovery. This is a part of the ongoing efforts aimed at the preventive protection of the brand of the impersonated financial organization.
An example of how the scam campaign’s resources are interconnected is provided in the screenshot below, taken from Group-IB’s Graph Network Analysis tool – a patented technology across Unified Risk Platform’s modules.
These phishing domains are being propagated using compromised Instagram accounts. The scammers use all available methods to promote their fake resources including Instagram advertising tools, the feed, and the stories.
Fake promotional campaign targets segmented audiences based on location, interests, and likes. Phishing links are also shared on the account’s stories or feed, along with an invitation URL in the bio. The fake ads encourage existing banking customers to visit a website to sign up for a “fee-free money transfer program”. Such ads and phishing pages replicate the design and theme of the legitimate bank’s promotional campaigns
At the final stage, users are prompted to enter their mobile banking app credentials. Many phishing websites would only reveal themselves if the victim is accessing the resource from a mobile device. This is another technique employed by scammers to complicate detection and takedown. Additionally, it can be harder for ordinary users to spot inconsistencies on a small mobile screen.
Useful Tips
“This new scam campaign successfully targets multiple parties at different stages of its lifecycle: Instagram account owners, their followers who are banking customers, and banks whose trademark is being abused by the scammers to inspire trust and steal online credentials. Schemes are getting more technically advanced and involve several layers that are hard to identify using conventional monitoring tools. Companies should arm themselves with solutions capable of tackling the entire fraudulent cycle and the infrastructure behind it. Detection at early stages is the key to minimizing the digital risks to the affected brands and safeguarding potential victims.”
Digital Risk Protection Analyst in Indonesia, Group-IB
In addition to brand owners, this scam also continuously hurts ordinary people. When accounts are suspended by Instagram based on trademark infringement, the owner of said accounts loses their digital assets. Standard precautions should be taken at early stages to prevent this incident from occurring in the first place. Digital assets such as social media accounts must be extra protected through activating multi-factor authentication. A usual practice that is more convenient is using a One Time Password (OTP) sent to the owner’s mobile phone number via SMS. In addition, security-conscious people shall take further steps by installing an authenticator app to generate continuously changing codes.
Defend your digital assets with best-in-breed, AI-powered brand protection solution.
Users should always check the domain of the URL to verify if it is the official website before sharing any personal and payment details or banking credentials. It is better to maintain zero trust principles when encountering such URLs, especially if they originate from unofficial sources.
