If you are familiar with the results of a recently finished study regarding online content popularity that concluded that “likes” beget “likes”, the fact that people are willing to pay good money for fake Twitter, Instagram and Facebook followers as well as “likes” and “retweets” will not come as a surprise.
The market for these “goods” is, in fact, strong enough to make the price asked on underground cybercrime forums for 1,000 fake Instagram followers or likes is considerably higher that that for 1,000 credit card numbers.
It’s no wonder, then, that cyber crooks wielding the infamous Zeus information.stealing Trojan have recently been found using a new variant that not only searches for and records passwords, but also uses the zombified machine to check for available Instagram usernames.
According to RSA researchers, this new variant is able to download additional downloader malware onto the target’s computer. After that, it performs search engine queries, likely in a effort to promote pages hosting additional malware to the top of search engine results.
Next, the malware checks for the availability of Instagram usernames by sending POST commands to the Instagram service via its mobile API.
“For servers and virtual machines running Windows operating systems, Instagram API calls are pushed into Instagram by spoofing User-Agent strings in an attempt to disguise the traffic as a Smartphone running an Android operating system,” the researchers explain. “Spoofing is an important step, because Instagram doesn’t permit username availability searches from a Desktop PC.”
The variant uses common dictionary words, combines them with some random characters and uses those concoctions as names for the fake accounts. And while its doing that, it also automatically “likes” photos on other Instagram accounts.
“Search engine optimization abuse and Instagram account abuse could just be the beginning,” they say, adding that Zbot variants are surely going to also continue using their usual bag of tricks.