Skip to main content

Massive Instagram 'click farm' found following data breach

Instagram dark mode
(Image credit: Shutterstock)

Fake accounts on social media platforms are often used to commit fraud as well as to spread disinformation and fake news which is why the recent discovery of a massive Instagram 'click farm' is so concerning.

For those unfamiliar, click farms are operations where low-paid workers, usually in developing countries without strict data regulations, are paid to click on links and interact with users online either to earn income through advertising or to inflate a person's following on a social network.

The vpnMentor research team, led by Noam Rotem and Ran Lucar, came across this new click farm after uncovering a command and control (C&C) server that contained data for tens of thousands of Instagram profiles including usernames and passwords, proxy IP addresses, email addresses connected to the accounts, SMS verification codes and phone numbers used in the operation. 

As all of this data was stored on a single server, the click farm's operations were completely centralized and controlled by a single entity. This allowed anyone working at the farm to log into an account from anywhere in the world and start interacting with real Instagram users online.

Instagram click farm

Based on its initial investigation, vpnMentor believes that the click farm is being operated by a third party which is possibly based in Kazakhstan or Armenia. However, the research team also reached out to Instagram's parent company Facebook upon discovering the operation.

The fake Instagram accounts were used to publish posts, view others' posts, follow, react and engage with other profiles on the platform. In order to get around being flagged as spam, the operator of the click farm matched each fake profile with an IP address in a country that corresponded with its 'persona'.

At the same time though, thousands of local SIM cards were also needed to receive verification codes when joining Instagram. In addition to many of the server's real IP addresses being located in Kazakhstan and Armenia, so too were the mobile phone operators used to receive the SMS verification messages.

We could possibly find out more about the operator of the click farm and their intentions once Facebook conducts its own investigation into the matter.

Via vpnMentor