Singapore-based cybersecurity firm Group-IB has uncovered a sophisticated scam campaign targeting both Instagram users and banking customers in Indonesia. The campaign aims to steal victims’ banking credentials by using hijacked Instagram accounts to spread phishing links to fake websites disguised as login pages for one of Indonesia’s top financial institutions.

Group-IB’s Digital Risk Protection unit discovered over 600 hijacked Instagram accounts used to spread phishing links to over 1,000 affiliated fraudulent domains. The company’s Unified Risk Platform identified and blocked these domains at the request of the impersonated organization. However, as new domains continue to appear regularly, Group-IB continues to monitor the infrastructure and take prompt action to block violations.

The scam campaign is multi-phase and has been active since September 2022. Cybercriminals first identify Instagram accounts with disabled multi-factor authentication and gain access to them by brute-forcing their way in or by phishing the credentials. They then change the account email and activate 2FA to deprive the legitimate owner of access. By taking over legitimate Instagram profiles, the scammers ensure a wider reach, as the hijacked accounts have a considerable number of followers who might think that the content is trustworthy.

The scammers then rename the accounts to make them look like they belong to one of Indonesia’s leading financial institutions by using the organization’s trademark and its official logo as a profile picture. They also create multiple phishing domains, registering spoofed URLs that imitate legitimate ones to make them look more credible. Such websites are usually created and managed in bulk.

After changing the visual appearance of the profile, the scammers post phishing content impersonating the well-known Indonesian bank. They use all available methods to promote their fake resources, including Instagram advertising tools, the feed, and the stories. They also target segmented audiences based on location, interests, and likes. Phishing links are shared on the account’s stories or feed, along with an invitation URL in the bio.

The final stage prompts users to enter their mobile banking app credentials. Many phishing websites reveal themselves only if the victim accesses the resource from a mobile device, which makes detection and takedown more challenging. Additionally, it can be harder for ordinary users to spot inconsistencies on a small mobile screen.

Aditya Arnanda, Digital Risk Protection Analyst in Indonesia for Group-IB, said that scammers prefer Instagram because it is easier to inspire trust in social media, and visual content tends to resonate with people more. According to Group-IB’s findings presented at the Digital Risk Summit 2022, social media became the number one channel for the distribution of scams in the Asia Pacific in 2021, with more than 75% of all scams analyzed by Group-IB observed in social media.

The scam campaign not only targets brand owners but also continuously hurts ordinary people. When accounts are suspended by Instagram based on trademark infringement, the owner of said accounts loses their digital assets. As such, users are advised to stay vigilant, use multi-factor authentication for their accounts, and treat with suspicion any pages that ask for their banking credentials or payment details.

Arnanda recommends that companies arm themselves with solutions capable of tackling the entire fraudulent cycle and the infrastructure behind it. He emphasized that detection at early stages is key to minimizing the digital risks to affected brands and safeguarding potential victims.