It all starts with an exchange between “friends”. Inspired by phishing techniques, a new scam is spreading on Instagram. Cybercriminals have thus mounted a scam based on the activation of an authentication code, through the messaging of the social network.
The well-established scenario is for a hacker to impersonate an Instagram user by stealing their credentials (they are often sold on the Dark Web for a few euros). With this account, you can send messages to friends who are linked to you. And this is where the scam begins. Because the spoofer will send phishing messages asking for help from the “friends” on the list. The story that the cyber attacker exposes asks the person to help him unlock his mobile phone by sending him an activation code that the victim should receive instead.
The scammer often begins his story by asking you to help him out with a small, innocuous message: “Hi, can you please help me?” If the potential victim volunteers, then he will show her only his smartphone and that he needs her to remotely unlock it by receiving his activation codes. The scammer then explains that he was going to receive codes sent by his telephone operator but that his mobile phone is blocked, he must receive them through a trusted person. Then he asks the victim for his phone number and his operator.
How the site is related to Numerama, which reveals this case, the scam will enter a second phase. Since the victim will receive by SMS an authentication code that he will have to forward to his “friend”. In reality, the scammer uses the Boku payment platform, which allows payments to a third party by SMS based on an overloaded transaction. For example, it is possible to choose to transfer 25 euros to someone on Boku (which is a legal money transfer platform). For verification and double authentication, Boku will send you a confirmation SMS, with a surcharge up to the desired amount, here 25 euros. Your operator will then pay the sum to the recipient and it will be charged to your next phone bill. In the case of the scam, the hacker explains that this chargeable operation will not be charged and that it is just a normal SMS. In reality, the victim will be charged and the money will be transferred to the scammer’s account.
As with all sites, messages, emails, and social media be alert when a person or organization asks you for personal information or to make a payment. Never reply. In the case of a friend, if you have any questions about the person who is speaking to you, do not hesitate to change the communication channel (choose another message or a social network), or even call the person in question directly to check if it is her.