Hackers are using Instagram as a marketplace, advertising rental of what they say is access to Mirai and other botnets and supposedly selling accounts for Fortnite, Spotify and other social media platforms.
Motherboard’s Joseph Cox has been chatting with Root Senpai – one of the sellers – on Discord, a popular messaging board for gamers.
Senpai told Motherboard that stolen Fortnite accounts are of particular interest to customers. No surprise there: right now, the mobile game is hotter than a blister bug in a pepper patch.
Back in March, fraudsters exploited gamers’ keen anticipation to get invitations to Fortnite’s upcoming release, flogging their fictional “extra free invites!!!” as they looked for profit or for pumped-up Twitter followers/likes/retweets/comments.
By June, scammers had begun seeding the internet with fake Fortnite apps that never loaded the actual game and instead churned victims through the downloading of other apps that the fraudsters got paid to disseminate.
And then, of course, there are stolen Fortnite accounts. Kotaku reported in March that hijacked accounts form a “booming industry”, as millions fend off zombies in this, the world’s biggest survival game, where the players who pick up rare character skins attract the attention of thieves.
Since Battle Royale for Android was released in September 2017, dozens have taken to Reddit, Epic Games’ forums and Twitter to complain about mysterious $99.99 and $149.99 charges on their accounts. Account crackers use victims’ accounts to pay for game upgrades that they then transfer to other accounts.
As Kotaku tells it, sellers harvest known email/password combinations from previous breaches, be it the 400 million-user MySpace breach or the 164,000-user LinkedIn breach, and then load them into software that automatically enters them into Epic Games’ client until it hits on a valid account.
Besides ripped-off Fortnite accounts, hackers are using Instagram to hawk access to botnets.
Motherboard spotted one post that claimed to sell access to a Mirai-based botnet. The Mirai malware ensnared more than 300,000 Internet of Things (IoT) devices. It, and its subsequent variants, have been used to launch an untold number of distributed denial-of-service (DDoS) attacks.
Other Instagrammers are selling access to other botnets: Motherboard spotted one post that advertised botnet as a service plan, listed for between $5 to $80 a month.
Some of the botnet-as-a-service ads are appearing in normal Instagram posts, while others are being marketed on the network’s Stories feature.
None of this is legal, of course. Instagram’s terms of service forbid doing “anything unlawful, misleading, or fraudulent or for an illegal or unauthorized purpose.”
An Instagram spokesperson told Motherboard that forbidden activity includes selling access to hacked computers or accounts. Instagram is investigating the issue and says it’s going to remove content that violates its terms.
How to keep the zombies from biting your account
Don’t reuse passwords. It’s incredibly fast and easy for hackers to find password dumps from breaches and then, in a process known as credential stuffing, use them to try to unlock your Fortnite account… or your bank account, or your Netflix account, or your Facebook, or any other account. You can’t keep breaches from happening, but you can limit the ripples from spreading to all of your accounts, by using one unique, strong password for every online service you use. Because yes, using a password twice is truly a bad idea.
Guard your login with your virtual life. Epic Games won’t ask you for your password via email or phone call, so if somebody’s asking you for it, your hackles should go way up. Hijackers will offer third-party “special offers” for all sorts of goodies, be it free V-Bucks to in-game loot. Back away: you’re far more likely to see fraudulent charges on your account than you are to see tasty freebies.
Sign up for two-factor authentication (2FA) sign-in. Epic offers it here. Note that you can also opt for authenticator apps such as Google Authenticator, LastPass, Microsoft Authenticator, or Authy. Sophos can also help you out: consider downloading Sophos Authenticator, which is also included in the free Sophos Mobile Security for Android and iOS).