Instagram is a massive platform, with roughly a billion people all over the world using it to share photos. The most popular users’ images attract thousands or even hundreds of thousands of comments each… which makes them the perfect place to hide a string of text — like, say, malware-activating code — that looks meaningless to most people.
A Russian hacking group tried none other than celebrity Britney Spears’ Instagram account as hiding place for instructions to malware it was spreading, security firm ESET described in a blog post.
One comment the researchers pointed to looks like any other mildly incoherent fan or spam comment, exactly the type you’d expect to see dozens of: “#2hot make loved to her, uupss HHot #X”
Most of us would scroll right on by a comment like that. But to a computer, it can be an instruction.
It’s part of a “watering hole” attack, ESET explains. If a computer has certain malware on it, a message like this one can direct it to a specific website.
In this case, the malware was hidden in a Firefox browser extension. A compromised browser on that page would use the comment as an instruction for how to assemble and visit a particular link. Once that link was “clicked,” the malware could basically “phone home” and connect to its controllers.
USA Today compares the message to a spy leaving a window shade down, or a light on in a window, to communicate to handlers. If another spy sees that coded message, they know to go to a dead drop to find new information.
So, too, does the malware. When it comes upon that coded message, it scans through it to figure out what link to reach for, then goes there to find new information.
In this instance, the “dead drop” is an instruction for the malware to reach out to digital location — one that, for hackers’ own security, can easily move — and send any useful information it’s found, scraped, or stolen.
Luckily, this particular instruction didn’t have anything another Instagram user could click or interact with in it, so there’s no possibility it was used directly to transmit the malware to others.
The group behind this particular attack is more well known for targeting websites of various embassies, ESET notes. This particular Instagram vector was probably just a test, since there was very little traffic to the target site.
But switching to using social media sites is a clever tactic for the attackers, ESET concludes.
“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic,” they note. And secondly, it gives the attackers lots of flexibility to change the address they’re linking their malware to — and also to erase all traces of the link as soon as they’re done. As indeed, they have already done: The comment was deleted from the Instagram post by the time most sites covered the news.