How one AFR hack got hacked and lost their Instagram | #emailsecurity | #phishing | #ransomware


Fast forward to last Thursday, Like almost everyone on the morning commute, I was juggling between emails – work and personal – listening to a podcast, checking FB, Insta and Twitter and a couple of news websites… Another quick text from “my friend” … “Hey I think I was able to get that text to you … snap it fast and send it back”.

These crims are smooth

Yup. Distracted and not thinking, I did just that.

And then before my eyes, things started to fall apart.

I got the warning email about someone trying to access my account … but dummy me, who did NOT have 2FA on… the hackers got into my account and slapped it on for themselves, way over there in Lagos … my account was now theirs.

We are all used to spam emails in awkward, ungrammatical English about claiming millions of dollars for an exiled African prince. That’s so yesterday, these crims are smooth.

Within minutes, friends and family and contacts were getting this kind of talk, trying to ensnare them also into handing over their accounts:

“Hi, you were suggested as a friend to hit up for a help link that I can submit to get back into my account … they keep requesting I get the help link from 3 of my friends … check your phone for the link sent by text, just take a screenshot mate and send it back”.

Now Facebook and Instagram do have strong measures in place – if you have 2FA – to ensure your safety.

And for idiots like me, there are procedures to try to reclaim an account.

That involves answering questions, getting security codes sent to originally registered emails and mobiles. That helps. You can also submit a video selfie that lets them use facial recognition if there’s a photo of you in your account (they don’t keep that video for more than 30 days and never make it public).

Yup… tried that a couple of times to regain access, but as soon as I’d get in (and because I didn’t have 2FA previously set up and the bad guys now had), they’d snatch it back – in real time, as I helplessly watched.

Which brings me to another key thought: that of feeling totally vulnerable and at a loss.

Ego and self-pride

The AFR’s Will Willitts learnt a tough lesson in cyber security, when he lost control of his Instagram account. Floreanne Photography

Besides knowing family and friends were getting spammed and offered Bitcoin at a “top discount”, I had lost a community built up through the pandemic. People who shared my interests worldwide: yoga teachers in Brasilia and Munich; ice hockey fans in Hobart and Calgary; choristers who live in Vermont and Helsinki; and creative types who I’d met on the occasional modelling gig I’ve done, both here, in Europe and the US.

An international community that helped sustain me through two years of plague-bleakness when we couldn’t travel. All of them lost. That hurt even more than the four-by-two whack to my ego and self-pride.

Within minutes on that dark Thursday, Elda, an Insta friend who directs films in LA, texted me on WhatsApp to say she just got spammed and to “Change every one of your banking passwords NOW!!”

I managed to do that and avoided the worst damage. The Fin’s social media editor, Lois Maskiell, pitched into the battle, and it was still a week-long struggle to regain my account.

Turns out, it’s not just the elderly and tech-illiterate who fall victim.

Cyber crime cost of $33b

Hacking often happens to hard-working types over 40, those more consumed with mortgage repayments, credit card bills and school fees than being across the latest cyber security forum on Reddit.

“The bad guys are becoming ever more sophisticated in their approach and the damage that they can do across all platforms,” one techie told me.

Not losing money makes me lucky. The Australian Cyber Security Centre says in financial 2021, self-reported losses from cyber crime totalled more than $33 billion. Since the start of the pandemic, most of the cyber crime focused on Australians losing money and/or personal information.

My colleague, Michael Bleby, had to fight to get an impersonator off the platform. A contact told him about the fake account. “Same profile pic – ripped off all too easily – and same bio, with only a slight misspelling of my name”.

“At first I chuckled – imitation being the sincerest form of flattery,” Bleby says. He soon stopped laughing as he “got an email from someone else asking if it was actually me who had requested to follow their private Insta account. I hadn’t, but my impostor had. Someone was seeking to build relationships or gain info by pretending to be me”.

He tried reporting the fraud to Instagram and got a quick automated response that the account didn’t “breach their terms of service”.

“I was on my own.” he says, noting that as journalists we are “rightly held to account over factual accuracy”, but the big social media platforms “weasel out of the same sense of responsibility by claiming they are not publishers”.

“They just don’t want to spend the vast amount of money, the resources and judgment it would cost to police maliciously fraudulent accounts, let alone the hateful content they often allow to flourish,” Bleby says.

Luckily, he was able to “kick up a fuss with Instagram parent Meta” and the fake account vanished. Another workmate at Nine Entertainment, who prefers the dignity of anonymity, says he lost control of a professional Instagram site hosting his art portfolio.

Several attempts to get in contact with Insta’s gatekeepers proved “increasingly irritating”, he says.

“There’s no ‘Contact us’ buttons to be found anywhere. It was a long and exhausting hunt to find anyone who could help”. His pleas to Insta were met with “radio silence”.

Safeguarding the integrity

Frustrated, he “abandoned my long-curated site to the hackers”.

“I can’t believe a company of this size can completely ignore its customers … With our whole world digitised now, cyber hacking is one of the greatest threats to our business. Meta can get —-ed,” is the way he now feels.

In its defence, Instagram says its technology works to detect and block scams, and it aims to get ahead of scammers’ attempts to evade detection. It says it provides its estimated 2 billion monthly users “robust in-app tools” to report malicious content.

Yes, that is if people are smart enough to have enabled 2FA.

”We’re committed to safeguarding the integrity of our services, and work hard to protect our community from hackers, scams and other inauthentic behaviour,” a Meta spokesman said.

As the Australian Cyber Security Centre warns: “Like breaking into someone’s home, thieves have to look for a way in. Using software code, either developed themselves or available in a ready-to-use kit online, hackers look at ways to gain access.

“Once in, a hacker can modify how a network works, steal data, obtain passwords, get credit card information, watch what you are doing or install malicious software” … or all of the above.

Lessons learnt here?

Grab a coffee and your mobile right now and do the following on your Insta account:

  1. Tap on the profile picture in the bottom right to go to your profile.
  2. Tap in the top right, then tap Settings.
  3. Tap Security, then tap Two-Factor Authentication.
  4. Tap Get Started at the bottom.
  5. Choose the security method you want and follow the instructions.



Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published.

+ sixty three = 69