My friends Instagram was hacked and deep-fake videos posted in less than 6 hours
My friends instagram account has only ~2,000 followers, so not even a huge amount, and her email and password was reset about 6pm to a gmail account, and by midnight the account had already posted deep-faked AI videos of her promoting cryptocurrency scams.
The deepfake videos are very realistic too, if I hadn't know her better or know about the hacking it would be very easy to believe it was real...
It's possible they deep-faked her videos ahead of time but it seems like something you'd only spend resources on only if you knew the attack was successful.
And there doesn't seem to be that much news or content online about this happening or it seems very targeted... but for such an account with such a small following it seems like it must be quite widespread problem.
Have you had this happen to someone you know personally and what do you think about how prepared we are to deal with scams this sophisticated or what effect they might have?
261 comments
[ 5.3 ms ] story [ 226 ms ] threadReally messed up stuff.
There is plenty of meat market content here no need to make an arbitrary line, its on topic here, deep fake, compute time, SaaS, account engagement, revenue
It lets us know how rational the incentive is
I wonder how effective it is, how much they make
What their overhead costs are like
Also, chances are that if you can convincingly create deepfakes in general you can (deep)fake a picture of an id to a degree it will be accepted by OnlyFans and other services, especially if these ids are from places the staff might not be entirely familiar with. Do you know for example what a Columbian or Polish or Turkish or Cambodian id should look like and what security features that you could see on a mere picture of it should be present, if there are even such features?
I've seen such id fakes done in practice, though that wasn't related to OnlyFans. That's why when I was in a position where I sometimes had to verify identities, I would not accept pictures of ids, I would ask for a "proof-of-life"/"timestamp" style pictures you see commonly used on pseudonymous sites like reddit or 4chan to establish authenticity of a poster. Those are not impossible to fake, but a lot harder, especially if you limit the time in which the other party can respond.
I don't know if OnlyFans adopted such a method of verification by now, but I know they used to accept just ids.
I also online-know a guy who says he used to run an OnlyFans scam where he would seek out underrated accounts, steal their content and republish it under his own accounts. That obviously required he create a lot of verified accounts with valid ways to pay out, of course. He never went into details on that. He could be lying about the thing, but when it came to other things he claimed over the years, a lot of it was verifiable true, so I don't know.
You can also buy verified OnlyFans accounts on the black market (hacked usually) or compromise accounts yourself. A lot of OnlyFans accounts are completely inactive, abandoned by the original owners, so they will probably not even notice if it gets taken. From there you can replace all the account content as you please, and I believe in the case of OnlyFans even change the user name and probably update the payout method and information as well.
As for banking information... that's harder, but there are probably some ways left. The question is if the OnlyFans account in this case was even made for financial gain, or just to cause humiliation, in which case subscriptions might have been free or the money might have never been collected by whoever created the account.
newspapers are media, right?
so are digital newspapers also media?
what about just a collection of headlines?
Have owned it since Instagram launched and it was connected to my Facebook account which I've had since 2005 or so.
There is no hope with contacting Instagram/Facebook support.
Your friend should take this as a complement to her appearance, she's been deemed attractive and trustworthy-looking, after all. That's why her account has been targeted.
Contact IG to wipe it, and acquire stronger auth habits, and better backup habits. Nothing else you could do about that, really.
Wow, that's a pretty fucked up take.
How would you take it?
whew boy, I was not expecting this on this website
It is neither good nor bad, it just is.
edit: also there was an instance in the past where my account got disabled and it took me months to get my account get reactivated again. the first issue is that they have a huge backlog of other people they are assisting. so you need to find a way around that
If that is true, that is a deep cut against their account security.
If this really happened, there must be some easy to use public tool they used. I'd really love to see the video.
¹ There's no way anyone else would log into a stolen account from a Nigerian IP.
> Their prince was the first email scam of note, and probably one of the longest running ones at that.
And all of the Nigerian prince spammers are incredibly unsophisticated. Anyone in the industry can tell you this, you can just look at the manner in which they send their emails.
Why needlessly alert the victim when you could just choose a proxy in their city?
>Sounds like the perfect cover then
How would that even work? It's not like this would provide any kind of an advantage. In what kind of a threat model could this possibly be beneficial?
I'm sure there are some exceptions, but those would probably be smart enough to conceal where they came from.
This isn't really surprising. Obviously Nigerian cybercriminals will be less sophisticated than the Russians for example, just look at their schools!
This way, the only replies they get are from people who are extremely gullible and/or desperate. It allows the scammers to avoid wasting time on targets that have a low probability of success.
That said, there are certainly plenty of stories about Nigerian scammers who are themselves not very bright or perceptive (is the 401Eater website still up and running?).
It is actually deliberate. It has been part of scams like that for decades
https://www.telegraph.co.uk/technology/microsoft/9346371/Nig...
It used to be seen in scams sent via the post as well.
The "nigerian scams" are extremely unprofitable compared to even mildly sophisticated scams like BEC or basic craigslist scams. I think it's safe to say that they're unsophisticated.
>That said, there are certainly plenty of stories about Nigerian scammers who are themselves not very bright or perceptive (is the 401Eater website still up and running?).
Yeah, because the actually intelligent ones are generally running very different scams.
https://www.vice.com/en/article/93bw9z/bitcoin-scam-hostage-...
I can't say I have too much advice other than to always use strong passwords, don't share passwords across sites, use VPNs on public routers, and stay away from posting videos of yourself on cancerous engagement metric-driven social media.
I feel we're just reaping the reward of our vacuity.
I think it's you, because I see criticism levied against TikTok here all the time.
> I'm a huge fan of TikTok because after years of content stagnation and dullness, the internet is fun again.
Just for contrast, this is how the second-highest top-level comment starts:
> I like to think of TikTok as the crack cocaine of addictive social media. I used to think my dopamine receptors were burned out by the constant barrage of memes I received from reddit, Facebook and Twitter but TikTok proves they can refine that product to make it even more potent.
But evil HN is always only criticizing Facebook and letting TikTok get away with everything, sure.
Many people aren't fans of Insta/FB but they need to use it for reaching their audience.
If you use Instagram and then your account gets taken over, it might be convenient to be able to alert at least some of your fans by posting about it on Tiktok.
Better yet, even if few of your fans are on your official site, having an official site means you're not 100% locked out of your own identify when your Insta is taken over.
Of course maintaining a website is probably not the forte of most Instagram hot-shots, so this is by no means an easy solution.
It's unfortunate that these big social media companies let people become successful without fully understanding what they're up against after reaching a certain threshold.
Collective action needs to be legislative or legal in order to actually change things.
[1] https://www.ipr.northwestern.edu/news/2017/king-corporate-bo...
Oh and it was given to one of mr beasts (from YouTube) helpers…
Just keep dialing, and you’ll find a compassionate and helpful person at some point
Again, the kindness, compassion and flexibility of humans is the weak link in security.
I bet that’s why Google has all but eliminated the support staff!
Apparently the password had a character limit that wasn't mentioned when signing up and was silently truncated server-side. A bit of investigation showed the <input> had maxlength="20" which is only enforced when typing characters. When using Javascript to fill a form will just ignore this attribute. https://codepen.io/jspash/pen/XWerVzY
One bank specifically I have to deal with will:
- Not allow you to paste a username/password (ctr+c/ctrl+v, right click disabled)
- Lastpass autofill doesn't work
- If the page loses focus, both user/password inputs are cleared, you get to start all over.
There is also a very small subset of special characters that are allowed. If you do not reset your password as often as they'd like, you have to agree to waive any responsibility for any issues with your account before logging in.
SMS 2FA required, there's no other 2FA option.
After entering your 2FA code, the "proceed" and "cancel" buttons are the exact same shape and color and I've hit the wrong one multiple times, in which case there is also SMS 2FA cool down and you have to wait 15 mins to start all over again.
It's absolute insanity and every time I have to login its an adventure.
Are you sure the account and username were given and not just the username?
https://en.m.wikipedia.org/wiki/Poe%27s_law
The most extreme will say "yes, this person gets it, they're one of us!" But those a little further from that edge might take a step back and think "wait, is that really what I sound like, really the end conclusion of all this?"
Anyway, I'm probably overthinking it.
And, it's happened in real life that I said something sarcastically, without indicating this, instead assuming the others would realize -- and instead they thought I was crazy. Maybe my voice sounded too serious
Just like when Philip Morris changed its name to Altria-- you could hardly claim Altria had done all of those bad things, it didn't even exist at the time!
(Also: joking)
I have old password reset emails and probably some screen shots somewhere
You were robbed and deserve the handle back. And potentially compensation if an audit trail reveals an inside job.
Edit: Better link from deadmutex below - https://www.youtube.com/watch?v=vqr0oER03SE
https://www.wfla.com/8-on-your-side/better-call-behnken/inst...
The video quality is too good. The lighting and movements lack mistakes. It can't be first order model, wav2lip, or any of the relatively new audio to video models.
The audio doesn't suffer from spectral noise, and it matches the lip movements close enough to not be TTS. Voice conversion (VC) introduces pitch issues that are readily apparent, and it's incredibly hard to train VC models without a ton of parallel audio data from source and target speakers.
This is absolutely a lie (not a deepfake) and I'd bet money on it.
[1] I created https://fakeyou.com cartoon and celebrity TTS, real time voice to voice mapping for VTubers, and am currently working on ML blendshapes.
It needs a base video to be modified. They need a video of a person talking to do the deepfake.
The reason for my skepticism: The state of the art language pronunciation from the best this planet has to offer still requires a full phoneme library recorded in studio conditions. A voice sample taken from a user’s instagram page doesn’t seem like the kind of source material that would be useful to make convincing speech.
So this is either an indication of a very elaborate deepfake which managed to surface an amazingly coincidental source video (which should be possible to find on her archives) or that it's not a deepfake but a real recording.
1 - This is an actual video of the guy in his home, but they changed/synthesized the audio and then worked on the lip movements to make it match.
2 - This is a video of an actor impersonating the guy, possibly to the extent of impersonating his voice (although his timbre might make that a little tricky), and then they just deepfake the face on to the actor. An example of this is deeptomcruise on TikTok, something that you should treat yourself to if you haven't seen yet - https://www.tiktok.com/@deeptomcruise (first two today aren't great, here's a good one - https://www.tiktok.com/@deeptomcruise/video/7018171271095553... ? )
I'm not even convinced there's any alteration here, but even if there was both of the above could be possible. Adobe demoed something called VoCo in 2016 that never saw the light of day, not sure if there is something approximating this available today: https://www.youtube.com/watch?v=I3l4XLZ59iw&t=260s
1. networks where global reach to total strangers is not even possible, or at least is not the default. the vast majority of people only really want to reach their “friends of friends” anyway. this eliminates a lot of would-be hackers from even knowing you exist.
2. accounts that are unhackable because users log in with private keys instead of user/pass that sit on a server. of course losing your private key is a problem, but i would suggest a system of social-account recovery anyway where you can regain access by 3 out of 5 friends approving, for example.
i think the concept of followers shows that your premise isn't exactly true and people with more followers than just family, friends, and friends of friends is also another clue.
what are you looking for from me? i’ll try to perform better for you next time lol.
It's not about what's "better" but about what users are willing to tolerate. The average user has a very high tolerance for login bullshit, repeated captchas, etc. -- if the site has a monopoly on the social network you need to access.
Private keys, as appealing as they are in theory, don't really work from a user perspective. The closest thing that seems to be popular is 2FA keys like YubiKeys.
There's nothing magical about private keys that prevents them from being lost or stolen.
The average person doesn't want to manage private key files. The average person wants to be able to recover their account if they forget or lose their password. Moving to private keys isn't a realistic solution for logins for the average person.
The average user isn't even aware of the potential option of the key file.
I think the popularity of password managers shows that users preferences are opposite to what you say. The user wants the machine to store the secrets rather than memorize and type them.
Recovery mechanisms is a separate issue from whether you use passwords or key files.
That’s why i mentioned Social Account Recovery. There are solutions to improve general UX of key management.
Why would you need this when you can just generate them yourself...
Plus the usual phishing.
I wonder if they had a list of account credentials, tested to find ones that worked without changing anything after verifying they were legit, and then once they had the content ready took over the account to ensure the work they had done was live for as long as possible..
Presuming much of the media creation is automated, they could also have run the process once the gmail account was owned.
Testing auth from unexpected locations in advance seems like an easy way to get noticed.
>Testing auth from unexpected locations in advance seems like an easy way to get noticed.
How many times we've received emails from online accounts notifying about login attempts? They are usually phishing attempts, but it occurs enough that most people don't believe the legitimate emails.
So it’s - access insta, change email, phone and password. Access gmail, delete notifications from Instagram, profit.
In her case she had about 60k followers. They sent random emails the moment she tried to do a password reset, so they obviously back the email onto an automated random service.
The fact the insta even allows changing all of those details in quick succession is one thing. The impossibility of contacting them next is another. Took a few days but they eventually flipped the account back to her with about as little fanfare as taking it away.
https://www.youtube.com/watch?v=vqr0oER03SE
I have a 3 letter instagram name and the amount of spam and attacks I get is insane... I get hundreds of password reset emails from instagram daily and constant DMs and follow requests from scammer and bot accounts.
I've tried contacting instagram about it several times but they never respond. Had to blackhole emails from security@mail.instagram.com to prevent my mail server filling up.
https://twitter.com/settings/security
Turn on "password reset protect" and it will require "either the phone number or email address associated with your account in order to reset your password". I'm not sure it adds a ton of security, but it definitely cuts down on the password reset emails.
I've noticed that the reset attempts seem to come in waves. I haven't charted it, but sometimes I'll get somewhere between 20-30 reset attempts in 24 hours, and at other times, I won't get any reset attempts for a full week or so. The whole thing is very bizarre.
[1] https://darknetdiaries.com/episode/97/
[0]: https://simon.medium.com/mobile-twitter-hacked-please-help-2...
I don't share my daily email with websites but for whatever reason I used it with this Instagram account. It's the only spam I get at this point. 20 email resets per day!! It can't be hard to fix that
The moment you create something that can be used to upload any type of content, some people will exploit it.
Tech companies seem to invest far less into customer service, make it impossible to get on the phone with someone, resolve issues in a sane way, etc.
Just speculation though.