Britney Spears' Instagram Is a Secret Testing Ground For Russian Hackers

  • Britney Spears' Instagram Is a Secret Testing Ground For Russian Hackers

Britney Spears' Instagram Is a Secret Testing Ground For Russian Hackers

ESET says this kind of attack was previously used by hacker groups like the MiniDuke attackers who targeted North Atlantic Treaty Organisation in 2013.

But the real innovation, in this case, is the hackers using social media to contact their malware's command and control (C&C) servers.

Revealing its findings in a blog post, ESET said: "We noticed that this extension was distributed through a compromised Swiss security company website". It asked users with Firefox to install a seemingly innocuous extension. "In fact, it will obtain this path by using comments posted on a specific Instagram post", the researchers said.

Having found the one, the malware will then start looking for particular characters containing hashtags and an invisible "Zero Width Joiner", which is a code to combine two emoji parts into a single one "combo-moji". Gizmodo explained how the method worked. Using an encoded coded comment on Britney Spears Instagram post, the malware could find out what URL to use to meet up with the server without actually including that information in the code of the malware itself. The use of this tactic presents difficulties for "defenders'".

The malware would scroll through Spears' photos' comments in search of instructions. The command and control server is what malware typically communicates with to receive instructions and where it offloads stolen data from the victim.

The extension would look for a comment that met certain mathematical parameters.

"The comment isn't particularly enlightening for the general reader: "#2hot make loved to her, uupss #Hot #X". The custom hash value, in turn, would retrieve the following URL.

This took place in February, and ESET believe it was a test, partly because the link was clicked very few times.

Security researchers at Eset found that the hacking group, known as Turla, is leveraging recently discovered backdoor malware by leaving comments in plain sight. There are extensions that work in the backdoor and detect parent server through comments on social media.

ESET has been in contact with Firefox's developers and they're now working on a fix so that the extension won't work any more. The practice makes the malware harder to detect since the server is never directly referenced either in the malware or the Instagram comments.