0

A friend of mine, let's call her Alice, had an Instagram account that was hacked. She uses an iPhone. The scenario looks like this:

  • Alice gets a link from a Business Account via WhatsApp, and clicks it
  • The page was simulating the Instagram login page, and she entered the credentials and submitted the form. The provided data was:
    • Instagram Username
    • Instagram Password
    • Instagram Email
  • At this point, the attacker got access into her account and changed the email, password, hence Alice was not able to access the account anymore.
  • Alice pays the attacker to give her the password, and
  • Alice changes the email, the password, enables 2FA authentication and in the security pages logs out all the other devices, and disconnects Facebook from Instagram
  • After a couple of hours, the attacker has access to her Instagram account again.

What we have tried:

  • Forgot password:
    • via old email, does not work because the email is not associated with any Instagram account
    • via phone number, logs her into another account (about Vegan Recepies)
  • The Instagram support form does not appear when access the forgot password even from the phone (the device she used a couple of hours before the attacker got access again), hence she cannot report the account as hacked.

How did the attacker got access the second time, even after changing the password and activating the 2FA authentication?

Is there any hope for Alice to recover the accout?

Ionică Bizău
  • 813
  • 2
  • 10
  • 15
  • 1
    how did alice interact with the attacker to pay and get the password? Did she install anything? – schroeder Aug 26 '20 at 14:45
  • @schroeder Via WhatsApp, and no, she did not install anything. The payment was done via TransferWise. – Ionică Bizău Aug 26 '20 at 14:46
  • I guess it's possible that attacker got 2FA recovery codes before they were logged out on their device ("enables 2FA authentication and in the security pages logs out all the other devices"), or set up one of their 2FA methods in addition to one your friend set up. Was the old Instagram password reused anywhere else (email providers etc.)? – domen Aug 26 '20 at 15:09
  • @domen But to use the codes, the attacker would have to know the new password as well... The Instagram account was connected with another publishing app she was using for years, but now she disconnected all the apps. – Ionică Bizău Aug 26 '20 at 15:13
  • 1
    Probably good ol' human (aka "social") engineering. Let's say the attacker gets a hold of a rep at Instagram and says "someone stole my account". How do they know that Alice was actually the original owner and not the attacker? You should encourage Alice to NEVER pay these types of ransoms. – pcalkins Aug 19 '22 at 20:50

0 Answers0