Mert SARICA
Those of you who have read my previous blog posts titled “Sponsored Scamming” “LinkedIn Scammers” and “Who Viewed My Profile?” have learned that social media platforms are effectively used by scammers. However, what surprised me the most after writing these articles was that almost 2 years later, after almost 2 years, the “LinkedIn Scammers” blog post was still receiving comments about the ongoing activities of fraudsters.
After writing three articles on this topic, I had decided to leave myself to fate, but in September 2021, in the face of the following message I received from Volkan DEMİRPENÇE on LinkedIn, I decided not to be indifferent and asked my spouse and friends to share any suspicious messages they received on Instagram with me.
As time passed and I was able to examine the phishing messages that came my way and learn how they hacked Instagram accounts, I decided to write about this topic in order to raise awareness for friends like Volkan.
In one of the phishing messages, the scammer sent a message to an Instagram user via the Facebook account Messenger under the name Telif Hakları stating that a copyright infringement had been committed and requesting that the user visit the web address userhelpconfirm[.]site-tr[.]site, which has the shared IP address 116[.]202[.]53[.]12, to confirm their account and fill out a form.
When the user’s Instagram username was entered on the website, in order to increase credibility, the user’s profile picture was also downloaded and displayed in the background through the dumpor.com website when the password was requested on the page.
If the account is protected with two-factor authentication (which I strongly recommend using), after the correct password is entered on the phishing page, the user is asked to enter the verification code (SMS or login code) and, as if that were not enough, their email address and password as well.
Once all the information is entered, the scammers have obtained all the information they need to take over the Instagram account and achieve their nefarious goals. Although what they can do from there is limited only by their imagination, I created a fake Instagram account in order to understand their intentions and obtain the IP addresses of the system used by the scammers, and began waiting for them to hack my account by entering my information on this page, but I probably failed to attract their interest due to the low number of followers, and therefore was unable to allow them to access my account.
I can hear some of my readers saying, ‘Well, who would believe these phishing messages anyway?’ I asked myself the same question and continued to examine the phishing messages for a while.
In another phishing attack, I encountered a cold-blooded scammer who was very cautious in order not to be caught by the security controls of the phishing site, did not hesitate to use sweet talk to persuade, and did not shy away from using a sensitive topic such as “No to Violence Against Women” in their scenario to achieve their sinister goals.
On October 21, the scammer, who hid behind the gamzedemirel.avk account with a fake name, surname, and profile photo, and entered into communication with the target user pretending to be a lawyer, stated that they were in an endless struggle against violence against women and children and wanted to talk for 2 minutes.
After six days, when the scammer realized that they had not received a response from the target user, they contacted them again on October 26 and shared that they had not seen the name of the target user among the supporters and asked for support through the kadinlaradestek[.]com/home.php website hidden behind Cloudflare.
When I visited the website, I noticed that the scammer had taken various technical measures in order to continue their operation for a long time. When I tried to go directly to https://kadinlaradestek[.]com, the website entered a 404 (page not found) error loop and would not open. To access the site, it was necessary to visit the direct address https://kadinlaradestek[.]com/home.php.
Another point that caught my attention was that when you went to the site through an Instagram private message and pressed the INSTAGRAM İLE OY VER button at the bottom of the page, you were confronted with a form that steals your information through https://kadinlaradestek[.]com/login.php, but if you try to go directly to https://kadinlaradestek[.]com/login.php through your internet browser, you encounter a box that asks for a username and password instead of a form, and if you press the CANCEL button, you encounter a fake error page. In short, it was clear that the scammer took various measures to prevent these types of phishing sites from being detected by scanning tools of cybersecurity companies.
Like a lion focused on its prey, the scammer closely monitored whether they were able to steal the information of the target user, and contacted them again on October 28 and November 1.
As before, I began entering the information of the fake Instagram account I created in order to understand the intentions of the scammer and obtain the IP address, into the form on this page, and waiting for them to hack my account at certain intervals. As soon as I entered my information, I received warning messages from Instagram stating that my account had been accessed from Adana and Mersin and that two-factor authentication had been turned off. The fact that the transactions were carried out so quickly by the scammers indicated that the stolen information was being automatically processed with the help of a script in the background.
When it came time to find the IP addresses of the scammers who logged in, I first had to request information related to my Instagram account through the Settings -> Security -> Download Data steps in the Instagram mobile app. After receiving an email from Instagram stating that the information was ready, I downloaded the relevant ZIP file. After opening the ZIP file, I looked at the login_activity.html file in the login_and_account_creation folder and saw that the scammers had accessed my account from a different dynamic IP address belonging to Turkcell each time. When I examined the IP addresses, I saw that the 178.241.130.132 IP address belonged to the Diyarbakir IP pool and the 178.241.186.175 IP address belonged to the Kayseri IP pool. The fact that the IP addresses were dynamic and changed each time suggested the possibility that these operations were being carried out with the help of a script on a rooted phone or mobile device in the background. The fact that the scammers did not change the password after logging into the Instagram account indicated that they wanted to use it to access hacked accounts for a long period of time and achieve their goals.
Lastly, when it came to identifying the innocent users who had fallen victim to these scammers, I began using ffuf, a tool well-known to offensive security experts, to discover PHP files on the website. It didn’t take long for ffuf to identify a file called vip.php on the website. When I visited the address https://kadinlaradestek[.]com/vip.php where the file was located, I was able to access a list of accounts that had been hacked by scammers since October 26th. Upon reviewing the list, it became clear that between October 26th and November 25th, the scammers had successfully targeted over 70 Instagram users specifically for their networks. Upon reviewing the number of followers of the targeted Instagram accounts, it was also revealed that approximately 200,000 Instagram users were at risk of being subjected to an attack or scam through these hacked accounts.
In conclusion, as I have also emphasized in my previous articles, I recommend that all readers do not click on links from unknown sources (emails, SMS, private messages, etc.), do not enter passwords, two-factor authentication codes, or other sensitive information on websites or forms that they do not know, use two-factor authentication on all accounts whenever possible, follow the guidelines on this page to ensure the security of their Instagram accounts, visit Instagram’s support page to recover hacked accounts, and finally, share this article with friends and acquaintances who use social media to raise awareness.
On the occasion of this being my final article of the year, I would like to wholeheartedly wish all my readers a happy new year, and I hope that 2022 brings health, happiness, and abundance to everyone.
Mert SARICA
