Attackers ask you for a simple screenshot in this Instagram hack

The target: you.

The weapon: a screenshot.

Attackers are taking over Instagram accounts by sending you a message and asking for an image of your screen. Using this, victims say, they can start the process of stealing your account.

Steve Vaughan-Nichols, senior contributing editor at publication ZDNet, reported on May 23 that this happened to him. He received what he thought was a message from a friend.

"His message asked for my help and included a reset link for their account. Rather than asking me to click the link, which I'd never do in a million years, it simply asked me to send him back a screenshot of the message including the link. I thought, 'How can I be hacked by sending a PNG image?' After all, it wasn't a reset link for my account. So, I replied with the image," he wrote.

But he said the image of the web address and his reply message actually provided enough information for the attackers to make their move.

After that, he said he received multiple messages from Instagram, including notes about changing his phone number to a number in Nigeria, as well as a new email associated with his account. But he said Instagram has not been very helpful in getting his account back. Now he believes his Instagram is being used to send out cryptocurrency-related spam.

"I made, at most, one minor mistake, and lost my account," he said.

More Victims

Others are reporting the same attack on Reddit.

"They are clicking forgot password for your account and by you sending that screen shot, they can copy and paste the link into a browser and then change your password," wrote Reddit user Juneskin Law.

Attack message asking for a screenshot on Instagram. Image: Reddit/Rlo52893

What to do

The blogger MyFamilyStuff also reported the Instagram screenshot scam in April.

"My friend asked me to send a screenshot of a link I would be receiving by text. He told me he was in the process of getting verified on Instagram. I thought nothing of it and wanted to help him. When the text came in, I took a screenshot and sent it to him," she wrote. "Minutes later, I lost all control of my account. I was hacked."

The attacker made posts about cryptocurrency and used her messaging to send the same kind of attack message to her friends and family.

Instagram account belonging to MyFamilyStuff(.)ca showing posts for cryptocurrency

The attacker posted cryptocurrency promotions on the account of MyFamilyStuff. Image: MyFamilyStuff(.)ca

As she tried to get Instagram to give her the account back, the attacker was notified and changed the password and contact information, she said, making the process even more difficult. She had to send multiple selfies to get Instagram to return the account. The process may have been easier for her than for others because she had an Instagram business account.

Her recommendations include:

  • Use multi-factor authentication.

  • Do not ever send anyone a link even if they are friends or family.

  • Have some photos of your face on your account so Instagram can compare your verification selfies.

  • Print out and save your Instagram backup codes somewhere safe.

  • Try to recover your account immediately.

  • Alert your friends, family, fan base that you’ve been hacked.

  • Keep submitting video selfies and don’t lose hope.

 

More News Bites

kerry tomlinson