Facebook, Instagram, TikTok, and Twitter this week, everyone took steps to crack down on users involved in trafficking hijacked user accounts on their platforms. The coordinated action has seized hundreds of accounts that companies say have played an important role in facilitating trade and in the often lucrative resale of compromised and highly sought after usernames.
At the heart of the banning wave of accounts are some of the most active members of the OGUsers, a forum that serves thousands of people who sell access to hijacked social media and other online accounts.
Particularly valued by this community are short usernames, which can often be resold for thousands of dollars to anyone who wants to claim a personalized name.
Facebook told KrebsOnSecurity that it seized hundreds of accounts – mostly on Instagram – that were stolen from legitimate users through a variety of intimidation and harassment tactics, including hacking, coercion, extortion, sextortion, SIM exchange and scam.
THE MEANS
Facebook said it targets a series of accounts linked to key sellers on OGUsers, as well as those that advertise the ability to broker sales of stolen accounts.
Like most cybercrime forums, OGUsers are invaded by obscure characters who are mainly there to trick other members. As a result, some of the most popular inhabitants of the community are those who have earned a reputation as trusted “intermediaries”.
These core members offer escrow services that – in exchange for a reduction in the total transaction cost (usually five percent) – will keep the buyer’s funds until he is satisfied that the seller has delivered the credentials and any access to the account. -mail required to control the social media account.
For example, one of the most active accounts targeted at cracking down on social media this week is the Instagram profile “Trustworthy, ”Self-described as“ first-rate professional intermediary / collateral since 2014 ”.
Trusted’s profile includes several screenshots of his OGUsers persona, “Beam”, which warns members of an increase in the number of new OGUsers profiles posing as him and other intermediaries in the forum. Currently, Beam has more reputation points or “endorsements” than almost anyone on the forum, except perhaps for current and past site administrators.
The now banned Instagram account for @ trusted / beam broker.
Fortunately, OGUsers have been hacked several times over the years, and their database of user details and private messages posted on competing criminal forums. These databases show that Beam was only the 12th user account created on OGUsers in 2014.
In his posts, Beam says he negotiated just north of 10,000 transactions. In fact, leaked OGUsers databases – which include private messages in the forum before June 2020 – offer a small window into the overall value of the hijacked social media industry.
In each of Beam’s direct messages to other members who hired him as an intermediary, he would include the address of the bitcoin wallet to which the buyer should send the funds. Only two of the bitcoin wallets used by Beam for intermediaries in the past two years have registered more than 6,700 transactions, totaling more than 243 bitcoins – or about $ 8.5 million for today’s valuation (~ $ 35,000 per coin). Beam would have earned about $ 425,000 in commissions on those sales.
Beam, a Canadian whose real name is Noah Hawkins, refused to be interviewed when contacted earlier this week. But his “Trusted” Instagram account was taken down today by Facebook, as well as “@Killer” – a personal Instagram account he used with the nickname “noah / beam”. Beam account on Twitter – @NH – was disabled by Twitter; that was hacked and stolen from its original owner in 2014.
Sought to comment, Twitter confirmed that it worked closely with Facebook to seize accounts linked to key OGUsers members, citing its platform handling and spam policy. Twitter said its investigation into the people behind these accounts is ongoing.
TikTok confirmed that it has also taken steps to target accounts linked to major OGUusers members, although it did not say how many accounts were recovered.
“As part of our ongoing work to find and stop non-authentic behavior, we recently retrieved several TikTok usernames that were being used for hacking accounts,” said TikTok in a written statement. “We will continue to focus on staying ahead of the evolving tactics of evildoers, including cooperation with third parties and others in the industry.”
‘SOCIAL MEDIA SPECIALISTS’
Other key intermediaries who brokered thousands of transactions from social media accounts via OGUsers that were part of this week’s ban wave include Farzad (OGUser # 81), who used Instagram accounts @middleman and @frzd; and @rl, also known as “Amp, ”An important intermediary and account seller at OGUusers.
Naturally, the main intermediaries in the OGUsers community derive much of their business from committed social media sellers and online gaming accounts, and these two groups tend to promote each other. Among the biggest seller accounts targeted in the banning wave was the Instagram account belonging to Ryan Zanelli (@zanelli), a 22-year-old who describes himself as a “social media marketing expert” from Melbourne, Australia.
The leaked OGusers databases suggest that Zanelli is best known to the OGusers community as “Verdict, ”The fifth profile created in the forum and long-time site administrator.
Contacted by telegram, Zanelli acknowledged being an administrator of OGUsers, but denied being involved in anything illegal.
“I am one of the first adapters on the forum, yes, as well as countless other members, and no social media property I sell has been hacked or obtained by illegitimate means,” he said. “If you want the truth, I don’t even own any of the shares, just reviewing who owns them.”
This is not the first time Instagram has come after your accounts: as documented in this story in The Atlantic, some of its accounts, totaling more than 1 million followers, were hacked in late 2018, when the platform removed 500 usernames that were stolen, resold and used to post memes.
“This is my full-time income, so it is very detrimental to my livelihood,” said Zanelli to The Atlantic, who identified him only by his first name. “I was trying to have dinner and socialize with my family, but knowing behind the scenes everything I built, all my equity, was gone before my eyes.”
Another successful account in the banning wave was the Instagram account @ h4ck, whose Telegram sales channel also advertises several services to ban and cancel the ban on certain accounts on different platforms, including Snapchat and Instagram.
Snippets from the Telegram sales channel for @ h4ck, one of the Instagram identifiers seized by Facebook today.
Facebook said that while this is not the first time it has recovered accounts associated with hijackers, it is the first time it has done so publicly. The company says it has no illusions that this latest inspection action will end the rampant problem of hijacking accounts for resale, but sees the effort as part of an ongoing strategy to increase costs for account dealers and to educate potential customers. account buyers about the damage done to people whose accounts have been hijacked.
In recognition of the scale of the problem, Instagram today launched a new feature called “Recently Removed”, which aims to help victims undo the damage caused by an account hacking.
“We know that hackers sometimes delete content when they gain access to an account and, until now, people have not been able to easily retrieve their photos and videos,” explained Instagram in a blog post. “Starting today, we’ll ask people to first verify that they’re legitimate account holders by permanently deleting or restoring recently Deleted content.”
Facebook was not exaggerating the use of extortion and other serious threats by the hijacking community to gain control over highly valuable usernames. I would like to be able to recover the many hours spent reading private messages from the OGUsers community, but it is certainly not uncommon for targets to be threatened with swatting attacks or to have their personal and / or financial information published publicly online, unless they relinquish control over a desired account.
WHAT CAN YOU DO
All accounts that you value must be protected with a strong unique password, as well as the most robust form of multi-factor authentication available. Typically, this is a mobile app that generates a unique code, but some sites like Twitter and Facebook now support even more robust options – like physical security keys.
Whenever possible, avoid choosing to receive the second factor via text message or automated phone calls, as these methods are likely to compromise through SIM exchange – a crime that prevails among people who steal social media accounts. The SIM exchange involves convincing employees of the mobile phone company to transfer ownership of the target’s phone number to a device controlled by the attackers.
These precautions are even more important for any email accounts you may have. Sign up for any online service and will almost certainly require you to provide an email address. In almost all cases, the person in control of that address can reset the password for any associated services or accounts – simply by requesting a password reset email. Unfortunately, many email providers still allow users to reset their account passwords by sending a text link to the registered phone number for the account.
Most online services require users to provide a cell phone number when setting up the account, but do not require that the number remains associated with the account after it is established. I advise readers to remove their phone numbers from their accounts whenever possible and to take advantage of a mobile app to generate any unique code for multi-factor authentication.
Tags: @ H4CK, @Trusted, Beam, extortion, Facebook, Instagram, Noah Hawkins, ogusers, Ryan Zanelli, sextortion, SIM swapping, SWATting, Tiktok, twitter
This entry was posted on Thursday, February 4, 2021 at 13:02 and is filed under News of evil, The Coming Storm, Web Fraud 2.0. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.