Scammers create Instagram click farm, leave their operation exposed online
Exclusive: Researchers find records used to fake Instagram engagement, exposed on the open internet.
Instagram is a playground of deception. Filters, lighting and clever angles can make the humdrum look amazing.
On Wednesday, a pair of researchers said the deceit extended beyond artfully edited photos to inflated follower counts, which can make accounts appear to have more reach than they actually do. Behind the artificial numbers: a click farm operation that boosted performances by using tens of thousands of fake IG accounts.
Ran Locar and Noam Rotem said the scammers appeared to be operating out of Central Asia and used proxy servers to disguise the location of the fake accounts. The researchers, based in Israel, found usernames and passwords of the fake accounts, as well as clues to how the operation worked, on an unsecured cloud database.
Some influencers use click farms in an effort to boost their popularity on social media, which might help them win sponsorship deals or other promotional opportunities. It's unclear how widespread the practice is, but cybersecurity firm Cheq said last year that advertisers wasted an estimated $1.3 billion on ads and sponsored posts that were displayed to bots and fake accounts. The bogus engagement brings a level of fakery to the world of influencers that's worth remembering the next time you scroll through the enviable lives of social media personalities.
Locar and Rotem published their report with vpnMentor, a website that reviews privacy software for consumers. The researchers reported the database to Instagram in September, and the information is no longer exposed. Additionally, the data didn't include any usernames or passwords for real Instagram accounts.
Rotem and Locar called the operation sophisticated, even though the scammers committed a basic security blunder by not setting a password on their cloud database. Aside from that misstep, the criminals covered their tracks to avoid Instagram noticing the accounts were coordinated, and added new accounts as Instagram found and deactivated previous fake accounts. Facebook, which owns Instagram, has automated systems to detect fake accounts on Instagram, and can identify and deactivate them within hours.
"There's a cat and mouse aspect to them," Locar said.
Locar and Rotem search for exposed databases through a web scanning project. Typically, they find cases in which companies have failed to secure account or customer information. For example, a document storage company exposed before-and-after pictures from plastic surgery clinics around the world and a recruiting website exposed the expected salaries of job seekers.
Other times, however, the exposed data comes from an apparent criminal enterprise. The research duo recently found exposed Facebook and Spotify account data belonging to real users, which had been compiled by criminals for other forms of fraud.
In addition to misleading sponsors and advertisers, buying fake engagement violates Instagram's terms of service. In 2019, Facebook sued a company in New Zealand for fraud after it allegedly sold likes and followers.