Grand Account Theft: Group-IB uncovers over 600 hijacked Instagram accounts used to spread financial phishing in Indonesia

Group-IB, one of the global leaders in cybersecurity, headquartered in Singapore, uncovered a novel and extensive scam campaign targeting both Instagram and banking users in Indonesia, which aims to gain access to their bank accounts. As part of the ongoing brand-protection efforts, the company’s Digital Risk Protection unit identified more than 600 hijacked Instagram accounts used to spread phishing links to fake websites disguised as login pages of mobile banking applications for one of Indonesia’s leading financial institutions. Group-IB’s Digital Risk Protection solution, a module of the company’s Unified Risk Platform, unveiled and blocked over 1,000 affiliated fraudulent domains used to spread phishing content at the requests of the impersonated organization. As new domains appear regularly, the Group-IB team continues to monitor the infrastructure and block violations shortly after the detection. Users are advised to stay vigilant, use multi-factor authentication for their accounts, and treat with suspicion any pages that ask for their banking credentials or payment details.

Hostile Takeover

According to the Group-IB’s Asia-Pacific Digital Risk Protection team, a prolific multi-phase scheme has been active since at least September 2022. In the early stages, cybercriminals identify Instagram accounts with disabled multi-factor authentication. After obtaining access by brute-forcing their way in or by phishing the credentials, the fraudsters change the account email and activate 2FA to deprive a legitimate owner of access. By taking over legitimate Instagram profiles, the scammers ensure a wider reach, as the hijacked accounts have a considerable number of followers who might think that the content is trustworthy. Group-IB discovered one account belonging to a popular Indonesian football coach with over 23,000 followers compromised by the scammers as part of this campaign.

step-by-step scam scheme in indonesia

The scammers then rename the accounts to make them look like they belong to one of Indonesia’s leading financial institutions by using the organization’s trademark and its official logo as a profile picture. In some hijacked accounts, the scammers didn’t even bother to delete the contents of the previous owners. Group-IB analysts discovered and suspended all identified Instagram accounts involved in the scheme in coordination with the Instagram Intellectual Property Support Team.

phishing account in instagram screenshot

“There is a good reason why scammers prefer Instagram. According to our findings presented at Group-IB’s Digital Risk Summit 2022, social media became the number one channel for the distribution of scams in the Asia Pacific in 2021. More than 75% of all scams analyzed by Group-IB were observed in social media. Instagram turned out to be the scammers’ favorite platform in APAC. It is easier to inspire trust in social media and visual content tends to resonate with people more.”

Aditya Arnanda
Aditya Arnanda

Digital Risk Protection Analyst in Indonesia, Group-IB

Snowball Scam

After changing the visual appearance of the profile, the scammers post phishing content impersonating a well-known Indonesian bank. The scammers’ end goal is to get the unsuspecting victims to visit a phishing website disguised as a mobile banking app login page, designed to steal their credentials. For this purpose, the fraudsters create multiple phishing domains. They register spoofed URLs that imitate legitimate ones to make them look more credible. Such websites are usually created and managed in bulk. Since September 2022, Group-IB Graph Network Analysis tools identified multiple groups of phishing domains, including a group with over 200 affiliated phishing resources aimed at banks and other financial institutions in Indonesia and other countries in the region. The vast majority of these websites were detected by the Unified Risk Platform and blocked by the Group-IB Digital Risk Protection team in Jakarta. New domains continue to appear daily, and Group-IB keeps monitoring the infrastructure and takes actions to eliminate the rogue links upon discovery. This is a part of the ongoing efforts aimed at the preventive protection of the brand of the impersonated financial organization.

An example of how the scam campaign’s resources are interconnected is provided in the screenshot below, taken from Group-IB’s Graph Network Analysis tool – a patented technology across Unified Risk Platform’s modules.

example of how the scam campaign's resources are interconnected

These phishing domains are being propagated using compromised Instagram accounts. The scammers use all available methods to promote their fake resources including Instagram advertising tools, the feed, and the stories.

scam instagram stories screenshot

Fake promotional campaign targets segmented audiences based on location, interests, and likes. Phishing links are also shared on the account’s stories or feed, along with an invitation URL in the bio. The fake ads encourage existing banking customers to visit a website to sign up for a “fee-free money transfer program”. Such ads and phishing pages replicate the design and theme of the legitimate bank’s promotional campaigns

phishing website screenshot

At the final stage, users are prompted to enter their mobile banking app credentials. Many phishing websites would only reveal themselves if the victim is accessing the resource from a mobile device. This is another technique employed by scammers to complicate detection and takedown. Additionally, it can be harder for ordinary users to spot inconsistencies on a small mobile screen.

phishing website screenshot

Useful Tips

“This new scam campaign successfully targets multiple parties at different stages of its lifecycle: Instagram account owners, their followers who are banking customers, and banks whose trademark is being abused by the scammers to inspire trust and steal online credentials. Schemes are getting more technically advanced and involve several layers that are hard to identify using conventional monitoring tools. Companies should arm themselves with solutions capable of tackling the entire fraudulent cycle and the infrastructure behind it. Detection at early stages is the key to minimizing the digital risks to the affected brands and safeguarding potential victims.”

Aditya Arnanda
Aditya Arnanda

Digital Risk Protection Analyst in Indonesia, Group-IB

In addition to brand owners, this scam also continuously hurts ordinary people. When accounts are suspended by Instagram based on trademark infringement, the owner of said accounts loses their digital assets. Standard precautions should be taken at early stages to prevent this incident from occurring in the first place. Digital assets such as social media accounts must be extra protected through activating multi-factor authentication. A usual practice that is more convenient is using a One Time Password (OTP) sent to the owner’s mobile phone number via SMS. In addition, security-conscious people shall take further steps by installing an authenticator app to generate continuously changing codes.

Try Digital Risk Protection now!

Defend your digital assets with best-in-breed, AI-powered brand protection solution.

Request Digital Risk Protection demo


Users should always check the domain of the URL to verify if it is the official website before sharing any personal and payment details or banking credentials. It is better to maintain zero trust principles when encountering such URLs, especially if they originate from unofficial sources.

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.