Week 14: Notice of alleged copyright infringement leads to takeover of museum's social media account

12.04.2022 - The number of reports received by the NCSC last week remained at a similar level to the previous week. The media officers of a museum responded immediately to an alleged copyright infringement, but the email contained a hidden phishing link that enabled the attackers to take over the account and blackmail the museum.

In order to reach as many people as possible, it is common for companies and cultural institutions to communicate via social media. Maintaining these information platforms and providing new content is an important communication task. The importance of the accounts increases steadily with the number of followers. Hackers try to exploit this by hijacking such accounts and demanding a ransom for supposedly returning them.

The attackers need to obtain the password in order to hack social media accounts. One case reported to the NCSC involved the Instagram account of a museum. The attackers used a method that has been observed since the beginning of 2021. The museum received a message from the attackers via Facebook's Business Manager, claiming to be from the Instagram Copyright Help Center. The message accused those responsible of violating both legal provisions and specific Instagram terms and policies (Instagram copyright and community guidelines) by posting content. The recipient was invited to object by filing an appeal.

Text of the fake email
Text of the fake email

A link in the email led to a corresponding form. This was a phishing link that sent the login credentials for the Instagram account to the attackers. Using this data, the attackers managed to take over the account, change the access credentials and the account name, and apparently transfer it to Turkey.

The media officers were then informed via WhatsApp that the hacked account would be returned if an appropriate ransom was paid.

Extortion message via WhatsApp
Extortion message via WhatsApp

The NCSC advises against paying a ransom, as the hackers frequently do not return the account despite payment. In some known cases, the attackers instead demanded even more money.

In such cases, recovering the account via the official channels of the respective social media service providers is safer, although often laborious and time-consuming. In order to prove the legitimacy of the request, numerous pieces of evidence have to be provided to the respective social media providers.

The best approach is to protect yourself from such attacks:

  • Never enter a password on a website that you opened via a link. Always enter the address (URL) for the relevant online service manually in the address bar of your browser.
  • Never click on links which you received in unsolicited messages.
  • Check the plausibility of requests in an independent manner, e.g. by asking the sender directly.
  • Use multi-factor authentication whenever possible to protect your social media presence.
  • Safely store information about your account, such as the communication used to create the account and other information that only the rightful holders can have.

Last modification 12.04.2022

Top of page