Home
Join

49 Replies

  • Do you know how she manages her passwords?

    Spice (9) flagReport
    2 found this helpful thumb_up thumb_down
  • Different email account? MFA?

    Spice (16) flagReport
    3 found this helpful thumb_up thumb_down
  • Email may be compromised, not Instagram.

    Spice (30) flagReport
    6 found this helpful thumb_up thumb_down
  • Fist thought was a combination of the previous comments. Does she use Google* to save passwords?

    Another thought...does she have other social media accounts that may not be used as often? Check those as well, if there are problems with those, it might point you in the right direction as to what they have in common. 

    * Edit to clarify: Signing into Google account to access bookmarks, email etc. across all devices. 

    Spice (6) flagReport
    Was this post helpful? thumb_up thumb_down
  • Zed Denis Kelley she has made a different email for every account she has made. She uses MFA but for Instagram it's SMS hence why I'm thinking the SIM may be cloned. 

    b_slinger​ It's only her Instagram, I know she uses other socials but nothing has gone wrong with them. Not sure if she uses Google to autofill them but I'll ask her

    MarkPayton​ Not sure actually, I'll give her an ask. 

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • You mentioned she used a different phone. Was it the same number with the old SIM card? Your idea of a cloned SIM sounds reasonable in that case.

    Spice (7) flagReport
    Was this post helpful? thumb_up thumb_down
  • MarkPayton wrote:

    You mentioned she used a different phone. Was it the same number with the old SIM card? Your idea of a cloned SIM sounds reasonable in that case.

    Yep it was the same number hence why I believe it might be a clone. Very odd situation though because she recently met someone and exchanged phone numbers etc. They've been texting via SMS and the same thing has now happened to his account and receiving extortion messages from the same hacker. This surely seems like someone is directly trying to target her and trying to blackmail her for crypto.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • If her SIM is cloned, I can see the hacker trying to extort her contacts via text but how would they hack her recent acquaintance's IG account? Did she meet the new guy before the original hack? I'm generally a skeptical person so I'd be concerned about that "new" relationship. "I got hacked too" might be a convenient distraction. 

    Spice (10) flagReport
    Was this post helpful? thumb_up thumb_down
  • Yeah I was kinda poking on the fact it might be someone she knows if it's this often; however this new person she met a week ago and this has been happening to her for about 2 months now. I don't believe it's the new person but the likelihood of this being someone she knows or knows of her (some weird ex or something) is going up and up. As I said she has quite a large following so it could just be some creep out there O.o

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • When she creates the password make sure she isn't simply adding or incrementing a number on the end. Make sure its a truly random 25 character password

    She might not be completely honest with you about what she is doing because she doesn't want to admit it. 

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Even if her SIM is cloned. Wouldn't the person need access to her email? Try a Google voice number when registering using a different email account all together. This would mean there would be 2 emails accounts and 3 MFA checks, 1 for instagram if there can be and an MFA for both gmail accounts, the one she used to signed up Instagram on and 1 for google voice.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • I've had several friends of mine reach out with the same issue. Is she talking with someone and giving them her one time code or verification code by chance? Brute forcing a password of that length and complexity would take ages even with a super computer. If they're doing a password reset and they've got access to capture that code somehow that's the only way I'm able to figure they're obtaining the means to gain access to the account. Have her setup a new email, then setup the account with a Google Voice account, enable MFA, 

    The only two options for this happening are either she's providing the person with the account code, or someone has been able to phreak her phone and do it themselves. 

    Spice (5) flagReport
    Was this post helpful? thumb_up thumb_down
  • Does she do all of this via her wifi at home? Maybe her wifi has been hacked and a packet sniffer has been dropped onto it.

    Spice (7) flagReport
    1 found this helpful thumb_up thumb_down
  • i was going to wade in but i think most have it all covered, that is every way i would hack it if i was so inclined.

    this person didn't understand................................................................................VVVVV

    Spice (1) flagReport
    0 of 1 found this helpful thumb_up thumb_down
  • That's wild, they must have access to the passwords vault, maybe they have her google keychain login or google account etc, or possibly a recovery account set to an email that is already compromised.

    I'd be careful because if that's the case they could potentially grab her financial information too, she needs to change everything starting from the bottom up and set up MFA with a new device over cell data, and not link them with SMS or anything.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • I'd be casting a furtive glance at this new somebody she's met. It's possible this "somebody" could be behind it and found a way to initiate personal contact to perpetuate the hack - just because the hacking began before she met this person doesn't mean there's no connection. I'm especially suspicious of the "you're getting hacked oh no me too!" line. Certainly a concerning situation, for sure.

    Spice (7) flagReport
    3 found this helpful thumb_up thumb_down
  • EliteHuskarl wrote:

    I'd be casting a furtive glance at this new somebody she's met. It's possible this "somebody" could be behind it and found a way to initiate personal contact to perpetuate the hack - just because the hacking began before she met this person doesn't mean there's no connection. I'm especially suspicious of the "you're getting hacked oh no me too!" line. Certainly a concerning situation, for sure.

    I completely agree, it seems very convenient and strange that they would appear shortly before, then also get "hacked" as well.
    Spice (4) flagReport
    Was this post helpful? thumb_up thumb_down
  • Denis Kelley wrote:

    Email may be compromised, not Instagram.

    Exactly what I'm thinking.

    Spice (6) flagReport
    1 of 2 found this helpful thumb_up thumb_down
  • Definitely seems like email & equally potentially the cell is compromised and likely both. Another thought, not sure where this is at, but is somebody potentially "spying" on her with binoculars/telescope from an adjacent building? If she is famous enough, has a camera been placed? And maybe I watch too many movies. 

    Spice (4) flagReport
    Was this post helpful? thumb_up thumb_down
  • Maybe a keylogger installed on her phone?

    Spice (3) flagReport
    1 found this helpful thumb_up thumb_down
  • Instagram supports authenticator apps, so if anything to do with the phone or service is in question, using an authenticator app addresses that.

    I'd be using a Google Voice number for any required SMS authentication because then that will be behind MFA also and not have a vulnerability of the phone or service being intercepted.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • chris.hone.5688 wrote:

    Does she do all of this via her wifi at home? Maybe her wifi has been hacked and a packet sniffer has been dropped onto it.

    I can't tell if you mean that something has been installed on her networking equipment or if you mean that wifi signal itself has been compromised. What are you suggesting as a remediation if your idea is the case?

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • The police in many cases are hamstrung due to the overwhelming number of cases that simply exceed man power and available skilled investigators.

    Spice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • Reminds me of my nephew and his Sony Account. No matter what he did someone hacked it.  He swears by 2FA/MFA now. He wasn't using it before but he's using it now.

    Spice (3) flagReport
    1 found this helpful thumb_up thumb_down
  • I know this might sound callous. But what is the hacker doing exactly? Is it stalking like behavior? or are they trying to gain/steal money? 
    Law involvement will really get a fire lit under them so long as their is a monetary loss of at least $500 as this would constitute a felony. 
    If the person is exhibiting behaviors of stalking as well then this could indicate that the person is at least somewhat close by. (same country) at least. 
    If your friend users her IG for marketing or money flow then it could easily be said she is losing money due to the hacker. And going to the police for them to forward to the FBI would actually be a quick process.
    And with your current situation where the person would hack into her account again and easily get themselves caught while being watched. Well you should get the law involved. 
    Spice (3) flagReport
    3 found this helpful thumb_up thumb_down
  • I agree with Darling. You could actually go directly to the FBI.  Look for the nearest FBI field office.  The SIM card clone is a very possible thing.  Good thought on changing that out. 

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • Things I hope you had her do, but if not to try:

    - Doesn't insta offer MFA like facebook?  Is MFA enabled?

    - Use a brand new email address.

    - Use a brand new google voice number for the MFA.  

    EDIT:  I just checked and instagram does in fact offer two factor auth (MFA).  Go in and enable it....bc of your post here I realize I never enabled mine!  Now it is!

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • They do allow 2fa however I did see someone get locked out because of it to. So make sure they use a permanent number

    Was this post helpful? thumb_up thumb_down
  • About half of popular websites tested found vulnerable to account pre-hijacking...  hacked before you log in, sound like your description.

    https://www.theregister.com/2022/05/25/web_pre_hijacking/

    Perhaps a little late to the discussion... from the article ^^^

    This attack exploits a vulnerability in which authenticated users are not signed out of an account when the password is reset," the researchers explain. "This allows the attacker to retain access to a pre-hijacked account even after the victim resets the password."

    Dropbox, for example, was found to be vulnerable to the Unexpired Email Change Attack. Instagram was found to be vulnerable to the Trojan Identifier Attack. Microsoft's own LinkedIn was potentially vulnerable to the Unexpired Session Attack, as well as a variant of the Trojan Identifier Attack. WordPress and Zoom were each found to be vulnerable to two of these attacks.

    Spice (3) flagReport
    1 found this helpful thumb_up thumb_down
  • thought I would add this as its a good for informational purposes on different hack attempts:

    https://amp-thehackernews-com.cdn.ampproject.org/v/s/amp.thehackernews.com/thn/2022/05/learn-how-hac...

    Spice (3) flagReport
    3 found this helpful thumb_up thumb_down
  • Wow I got a lot of replies on this. So it's been a few days so far and not heard much back from her. I did tell her to use a 25 character randomised pw but she didn't do it even though I said that's probably the best fix is to increase your security. So a lot of you guys have said about her email being compromised, she has created new email addresses for every account she's made. chris.hone.5688​ You said it may be an eavesdropper on the network, this was one of my first thoughts when she explained what happened hence why I asked her to create a new account on a new device using 4G but again the same thing happened and that device was never added to her network, they was also created on new iClouds everytime. 

    greganderson5Spicy Joseph Yep, she had MFA on every account, she even got a brand new SIM card and used that for SMS 2FA on a new phone straight out the box and the same thign happened in 48 hours, same guy. He is now emailing several people she knows, like direct email not dm on insta, telling them they're going to be hacked within 24 hours unless they pay $*** in BTC and the weird thing is tthey actually all have lost their accounts. It's so weird, like this is actually a rollercoaster of a ride to be seeing.

    @darling I asked if she knows of anyone that might do this and she doesn't, no crazy ex's or anything. The hacker is targeting people who work for her as well.

    EliteHuskarl​ Always possible, the thing is now several people she knows has had the same thing happened because the hackler has caught wind that she is trying to stop the attack and he's going for as many people as possible before he fails. How he found out I have no idea, maybe he is seeing messages or listening into calls.

    Sorry I can't reply to all but these were general answers to most of you. Still trying to crack the case of this one lol.


    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • That's alarming and has got to be pretty upsetting! Keep us posted as I know I for one will be hoping and praying for a resolution to this disconcerting turn of events.

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • eshmesh​....How would it work, if you created the account and MFA through a free google voice number OR your cell number.  AND all of this you are doing it for her (not her doing it)

    Then you pass the info along via handing it off on a piece of paper.  

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • info2290 wrote:

    They do allow 2fa however I did see someone get locked out because of it to. So make sure they use a permanent number

    Insta gives you static numbers from mfa you would copy aside in a notepad on phone.  for if you lost the cell number.  

    Was this post helpful? thumb_up thumb_down
  • Also I'm not totally sure on the legality or if there is reason of this, so I would like to know if this is allowed or will even be useful. So the hacker and the people involved are emailing each other back and forth. I've told them not be to emailing him but they do it anyway (yes ik why ask me for help if they won't listen). BUT! I had an idea, could I potentially get them to email the hacker with a tracking pixel to grab their IP so I have information to take to the authorities about who they are and where they may be. Not sure if tracking pixels bypass a VPN though since I think they will most likely be using one. I'm trying to get her to send me eml attachments of the origianl email from the hacker so I can check the data to find an IP it was sent from but they're not doing it for some reason lol

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • greganderson5 wrote:

    eshmesh​....How would it work, if you created the account and MFA through a free google voice number OR your cell number.  AND all of this you are doing it for her (not her doing it)

    Then you pass the info along via handing it off on a piece of paper.  

    Ah yes, this was a plan. I have an old phone I don't use anymore and I've created an account however I've lost the SIM card to set up the 2fa. I'm going to try and see if that gets hacked too. If not I can create the account for her and pass it on.

    Was this post helpful? thumb_up thumb_down
  • Nice article!  Thanks! The breakdown of the attacks is great.  

    Jeff_D wrote:

    thought I would add this as its a good for informational purposes on different hack attempts:

    https://amp-thehackernews-com.cdn.ampproject.org/v/s/amp.thehackernews.com/thn/2022/05/learn-how-hac...

    Spice (2) flagReport
    1 found this helpful thumb_up thumb_down
  • eshmesh wrote:

    Wow I got a lot of replies on this. So it's been a few days so far and not heard much back from her. I did tell her to use a 25 character randomised pw but she didn't do it even though I said that's probably the best fix is to increase your security. 


    Gotta Love People!

    Person... How do I fix problem A

    Response.... Do this

    Person.... I can't do that!  

    Person... Ignores advise and continues on as normal complaining about the problem.

    Spice (1) flagReport
    1 found this helpful thumb_up thumb_down
  • molan wrote:

    Gotta Love People!

    Person... How do I fix problem A

    Response.... Do this

    Person.... I can't do that!  

    Person... Ignores advise and continues on as normal complaining about the problem.

    *creates new IG account*
    *new IG account gets hacked*

    Spice (3) flagReport
    1 found this helpful thumb_up thumb_down
  • Exactly!  LOL

    Was this post helpful? thumb_up thumb_down
  • eshmesh wrote:

    Also I'm not totally sure on the legality or if there is reason of this, so I would like to know if this is allowed or will even be useful. So the hacker and the people involved are emailing each other back and forth. I've told them not be to emailing him but they do it anyway (yes ik why ask me for help if they won't listen). BUT! I had an idea, could I potentially get them to email the hacker with a tracking pixel to grab their IP so I have information to take to the authorities about who they are and where they may be. Not sure if tracking pixels bypass a VPN though since I think they will most likely be using one. I'm trying to get her to send me eml attachments of the origianl email from the hacker so I can check the data to find an IP it was sent from but they're not doing it for some reason lol

    I've never heard of a tracking pixel before...

    Was this post helpful? thumb_up thumb_down
  • questions

    1. she uses the phone only to log in to the social media account?

    2. when she makes a new account is it at home?

    3. is she using WIFI or cell signal for the internet?

    4. is her firewall/router update date and a strong password.

    Was this post helpful? thumb_up thumb_down
  • EliteHuskarl wrote:

    I've never heard of a tracking pixel before...

    KnowBe4 uses them to track when someone has opened a phishing test email. It only works if the recipient downloads the images in an email though.

    1 found this helpful thumb_up thumb_down
  • If I'm understanding correctly, she is using SMS for MFA, right? SMS for MFA has been depreciated for quite a while now for this very reason. At the very least, an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy should be used. Passwords should not be saved in anything but a dedicated password vault - LastPass (what I use), Dashlane, or 1Password are all good options if you want something cloud accessible. Otherwise, KeePass and it's variants are all good if you want passwords locally stored.

    Your other option is to use something hardware based (or combine with the authenticator apps above for 3FA). YubiKey is your friend here.

    Your friend can recover from this and secure her accounts, but it will take work and a willingness to do what is necessary to secure her accounts.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • bradendrown wrote:

    EliteHuskarl wrote:

    I've never heard of a tracking pixel before...

    KnowBe4 uses them to track when someone has opened a phishing test email. It only works if the recipient downloads the images in an email though.

    knowBe4 and everyone else.  

    Its basically an image (usually a single pixel) in an email that has a custom URL so that when the users email client downloads it the sender knows exactly that the email was viewed. Its why I always tell people to never download and view the images.  as soon as you do you just set off an alarm saying you are a real person and you are looking at whatever junk was sent to you. This makes you an instant verified target

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • It's not a SIM swap attack...her phone would stop working then. I'd go with the email account logon credentials or her phone are compromised. Tell her to put MFA on her email (and Instagram accounts), phishing-resistant MFA if possible. This will quickly narrow down the problem to what it is not. 

    If that doesn't work, I'd go with the "her phone or computer device" is compromised. So, go there next. Best option here is to reset the device(s) back to original state and reinstall everything you need. Don't trust AV scans...they don't find crap these days. Change all passwords. Enable MFA where you can. 

    Human-created passwords can be guessed relatively easily these days up to 16- to 18-characters (on compromised Windows devices). If she is using a common pattern over her passwords, they are useless. Tell her to use a password manager. A perfectly random 11-character password is uncrackable, unguessable, using all known attacks. 

    Although I also originally like the "WiFi" is compromised idea (kudos to that idea), it's probably not that either, because all logons are protected by HTTPS, so just because you gain access to the WiFi network doesn't mean you can sniff the traffic involved (unless you MitM it also...which is possible...but has its own issues)...and I have to believe that some of those logons were stolen when she was away from her home WiFi. 

    If her phone/device is compromised, they can compromise her MFA involved in those accounts as well...although depending on the type of MFA used, not always...or it gets significantly harder.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • This is sounding more like there's somebody at Insta selling her account info, but is there stalkerware on her phone? It is sounding more and more like once something hits her phone then it gets compromised.  This is a morbidly fascinating thread

    0 of 2 found this helpful thumb_up thumb_down
  • I'm a pretty infrequent Instgram user, but had my account hacked repeatedly for a couple weeks until I discovered and activated their 2FA.  My recommendations for Instagram:

    1. CHECK THE LOGIN ACTIVITY [Settings]
    2. Be sure to log out all devices other than the one she is using [Login Activity]

      She can check to location of each login and see where the hacker was logging in though an IP is not provided ☹

    3. Change the password again [Privacy and Security]
    4. Activate 2FA [Privacy and Security]

    Personally, I'd recommend to try turning her account to Private for a period of time as a small experiment. Existing followers won't be affected if she wants to observe if there's any change in behavior after going private.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • bradendrown wrote:

    If I'm understanding correctly, she is using SMS for MFA, right? SMS for MFA has been depreciated for quite a while now for this very reason. At the very least, an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy should be used. Passwords should not be saved in anything but a dedicated password vault - LastPass (what I use), Dashlane, or 1Password are all good options if you want something cloud accessible. Otherwise, KeePass and it's variants are all good if you want passwords locally stored.

    Thanks for the mention bradendrown and glad to hear you’re keeping your credentials safe with LastPass​.

    eshmesh, that sounds like such a frustrating situation for your friend and this is something that has been impacting a few in my social circle as well.
    Using a dedicated password manager is definitely what I’d recommend your friend do as well. In case they might be interested, I wanted to pass along an article we have on this topic: https://blog.lastpass.com/2022/04/5-tips-for-staying-safe-on-social-media/
    Wishing you the best in getting to the bottom of this for your friend!

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down

Read these next...

  • Spark! Pro series 30th June 2022

    Spark! Pro series 30th June 2022

    Spiceworks Originals

    Today in History: Spanish retreat from the  Aztec capital (What a great name for a computer company Aztec would be.  Try to read up more on their culture and history since it is amazing what they were able to do) June 30, 1520: Faced with an ...

  • Any thoughts on display arms brands/models?

    Any thoughts on display arms brands/models?

    Hardware

    Company is moving and refreshing furniture etc.Looking for a simple 2 display arm setup mounted either in drilled out desktop or clamped to edge of desktop (preferable)Alternately if no recommendations, even brands to stay away from.Thank you for any inpu...

  • Battle: Who is your go to password manager in 2022?

    Battle: Who is your go to password manager in 2022?

    Security

    Hello all,I'm SO TIRED OF USERS STORING PASSWORDS IN EXCEL!!I am an MSP for multiple companies and wanted to see what the folks of Spiceworks thought about 1Password for business? Who do you guys recommend for your business level password management in 20...

  • Snap! Raccoon Stealer, ZuoRAT, Firefox v102, Gmail's new look, & more!

    Snap! Raccoon Stealer, ZuoRAT, Firefox v102, Gmail's new look, & more!

    Spiceworks Originals

    Your daily dose of tech news, in brief. The first iPhone, which was launched back in June 2007, turns 15 today. I believe I had a Motorola RAZR at the time and was debating getting the iPhone as I already had an iPod and it felt like having one dev...

  • IT Wiki/KB Categories and Organization

    IT Wiki/KB Categories and Organization

    Best Practices & General IT

    So I have a simple question I wanted some feedback on.  I have been given the responsibility of creating an internal IT Wiki / KB for everything we do in IT.  I looked up some best practices and have some ideas, but want feedback from someone who has gone...