There are multiple reports on the return of a common type of a social media attack called “account cloning,” which is currently taking alarming proportions on Instagram. This is basically a simple scam that still works very well for the actors as it seems - otherwise, they would have abandoned the practice.
We first reported on this back in 2017, and we revisited it in March 2020, putting Facebook and PayPal in the frame as sluggish enablers. So, cloning is on the rise again, and the platform of choice is Instagram now.
Jake Moore, an ESET researcher, decided to experiment with the attack himself to shed light on the social engineering side of the scam. He wanted to check if there will be any verifications from Instagram’s side to stop him, and generally see if anyone would bother to send him a message or even report him.
What the man did was to clone his own Instagram account and test the scam on his friends. So, he used a spare phone number, took screenshots of the photos he had posted on the original account (for authenticity), and simply added “NEW ACCOUNT AFTER LOSING ACCESS TO ORIGINAL” in the bio.
Next, Moore followed 20 of his friends and sent requests to another ten private accounts to see what would happen. After mere minutes, three of the private accounts accepted the request, and two followed back. Interestingly, no one bothered to reach out to the researcher and ask any questions about the (supposed) account compromise. By the end of the day, 13 accounts had followed him back, and nobody thought this was any weird or suspicious. So, Moore decided to take matters in his own hands again and started sending messages to his 13 “new” friends.
Eight of them replied, and Moore moved forward with the one that sent the most sympathetic messages. He explained that the hackers didn’t just hack his Instagram, but his bank account, too, so he asked for money through a newly created PayPal address. The friend was ready to deposit the money before Moore actually called her.
This proves that the attack is very easy, and the social engineering aspect of the scam has solid grounds, even if everything is totally fake. Some of our social media friends are very easy to defraud, and hackers are looking for them daily. If you receive a message asking you for money coming from one of your friends’ accounts, just call them to confirm the situation or debunk it.