Instagram and Facebook are still unable to cope with simple phishing

NOS News•today, 07:13•Amended today, 07:54

Joost Schellevis
editor Tech
Salwa van der Gaag
editor NOS on 3

Joost Schellevis
editor Tech
Salwa van der Gaag
editor NOS on 3

Relatively simple tricks used by scammers are still sufficient to take over accounts on Instagram and Facebook, for example, despite measures taken by those platforms to prevent hackers. This is evident from research by the NOS, which monitored a Nigerian gang of internet scammers. The NOS went unnoticed by the gang and identified 3,200 victims, 1,000 of whom were from the Netherlands, who lost their Instagram, Facebook or email accounts.

The number mentioned is probably only a fraction of the total number of victims that the gang made. For victims, it starts with a fake internet page that tempts them to leave their login details. In reality, the login details go to internet criminals; that’s called phishing. They then quickly change the email address and password associated with the account, after which the owner can no longer access it.

The NOS followed the trail of such an attack and ended up in Lagos, the largest city in Nigeria. Armed with nothing more than an iPhone, criminals steal their login details from internet users every day, in many cases Dutch.

In this video from NOS op 3 you can see how this research went:

How we watched a Nigerian phishing gang

With the help of security researcher Matthijs Koot, the NOS gained access to the gang’s systems. For three weeks, the NOS saw how the criminals created new victims every day, at least 3,200 in six months. In addition to Instagram and Facebook accounts, they also targeted X accounts and e-mail accounts.

About a third of the people who entered their details on the false page and who NOS identified came from the Netherlands. It is impossible to say in how many cases victims’ accounts have actually been hijacked.

The group is not very advanced. “Their technical expertise is very limited. So you don’t have to be a brilliant technician to create victims,” says security researcher Koot. The criminals appear to include spam for cryptocurrencyscams to distribute on cracked accounts.

What exactly they do with the cracked accounts remains unclear in many cases. Victims often do not know exactly what is happening with their account. They can be used to scam or spread disinformation. Use the accounts for the sale of likes and followers is also possible.

It is unknown who is behind the gang and whether the group deliberately targets Dutch victims. The NOS found out the group’s contact details and asked them for more information, but no answers were forthcoming.

What is certain is that they come from Nigeria. They mainly logged in from that country, via mobile internet. They did this without using a so-called VPN connection; this could mask the real internet address. The attackers’ web hosting account, to which NOS gained access, was also set up in Nigeria.

Locations of the victims of the scammer gang

In total, the Nigerian scammer gang has at least 125 phishing websites to its name, of which 24 are currently being actively used. It starts with a message from an Instagram or Facebook friend that he or she is participating in a certain event challenge or election, asking, “Will you support me?”

“I clicked on that and then thought I had to log back into Instagram, so I did,” one victim said. Then the account is hijacked and the same message goes out to the victim’s friends, like a virus spreading.

Gaining access to hijacked accounts is then difficult for victims. “Instagram doesn’t help you at all! The helpdesk didn’t want to help me too much either, because they were afraid that I was the hacker. The world is upside down!” says a victim of the hacker group.

The parent company of Instagram and Facebook, Meta, does not respond to written questions, so it remains unclear why it is unable to combat scammer groups with limited technical knowledge. But properly securing accounts is also difficult, says Koot. “If you lock it down too strictly, there is a chance that you will lock out users.”

Even extremely suspicious behavior, such as logging in from the other side of the world, cannot be ruled out. “A user could also be on vacation or working from abroad.” One solution may be that you cannot change an email address associated with the account without being able to access that original email account. But: “In the real world, people regularly lose access to their email, so that doesn’t work either,” says Koot.

Accountability

For this story, NOS obtained access to the systems of a group of internet criminals. Text files recording victims’ login details were found not to be properly secured; that’s why we were able to read those documents.

In addition, the website that criminals use to read victims’ data turned out to be poorly secured. Together with researcher Koot, we used a security hole and injected computer code. Every time the attackers logged in to their phishing panel, NOS received information about the criminals, such as from which IP address they logged in and with what type of device.

We were also able to redirect the attackers to a phishing page we created, where they actually logged in once with valid login details. We then used that information to log in to the attackers’ web hosting account. This allowed us to further determine where they logged in from.

We will delete the data on victims and perpetrators that we have collected shortly after publication. Normally, breaking into computer systems is punishable, even if they belong to criminals; Journalists are sometimes allowed to break the law if a journalistic investigation justifies it.

The article is in Netherlands

Tags: Instagram Facebook unable cope simple phishing

Related posts