The website uses cookies. By using this site, you agree to our use of cookies as described in the Privacy Policy.
I Agree
blank_error__heading
blank_error__body
Text direction?

Scammers create Instagram click farm, leave their operation exposed online

Exclusive: Researchers find records used to fake Instagram engagement, exposed on the open internet.

Listen
- 02:43
gettyimages-1089360546

Instagram doesn't always reflect reality. Security researchers said Wednesday that they found records from an operation that used fake accounts to sell likes and followers to Instagram users.

Getty Images

Instagram is a playground of deception. Filters, lighting and clever angles can make the humdrum look amazing.  

On Wednesday, a pair of researchers said the deceit extended beyond artfully edited photos to inflated follower counts, which can make accounts appear to have more reach than they actually do. Behind the artificial numbers: a click farm operation that boosted performances by using tens of thousands of fake IG accounts. 

Editors' top picks
Subscribe to CNET Now for the day's most interesting reviews, news stories and videos.

Ran Locar and Noam Rotem said the scammers appeared to be operating out of Central Asia and used proxy servers to disguise the location of the fake accounts. The researchers, based in Israel, found usernames and passwords of the fake accounts, as well as clues to how the operation worked, on an unsecured cloud database.

Some influencers use click farms in an effort to boost their popularity on social media, which might help them win sponsorship deals or other promotional opportunities. It's unclear how widespread the practice is, but cybersecurity firm Cheq said last year that advertisers wasted an estimated $1.3 billion on ads and sponsored posts that were displayed to bots and fake accounts. The bogus engagement brings a level of fakery to the world of influencers that's worth remembering the next time you scroll through the enviable lives of social media personalities.

Locar and Rotem published their report with vpnMentor, a website that reviews privacy software for consumers. The researchers reported the database to Instagram in September, and the information is no longer exposed. Additionally, the data didn't include any usernames or passwords for real Instagram accounts.

Rotem and Locar called the operation sophisticated, even though the scammers committed a basic security blunder by not setting a password on their cloud database. Aside from that misstep, the criminals covered their tracks to avoid Instagram noticing the accounts were coordinated, and added new accounts as Instagram found and deactivated previous fake accounts. Facebook, which owns Instagram, has automated systems to detect fake accounts on Instagram, and can identify and deactivate them within hours.

"There's a cat and mouse aspect to them," Locar said.

Locar and Rotem search for exposed databases through a web scanning project. Typically, they find cases in which companies have failed to secure account or customer information. For example, a document storage company exposed before-and-after pictures from plastic surgery clinics around the world and a recruiting website exposed the expected salaries of job seekers

Other times, however, the exposed data comes from an apparent criminal enterprise. The research duo recently found exposed Facebook and Spotify account data belonging to real users, which had been compiled by criminals for other forms of fraud.

In addition to misleading sponsors and advertisers, buying fake engagement violates Instagram's terms of service. In 2019, Facebook sued a company in New Zealand for fraud after it allegedly sold likes and followers.

Measure
Measure
Related Notes
Get a free MyMarkup account to save this article and view it later on any device.
Create account

End User License Agreement

Summary | 4 Annotations
Instagram is a playground of deception. Filters, lighting and clever angles can make the humdrum look amazing.  On Wednesday, a pair of researchers said the deceit extended beyond artfully edited photos to inflated follower counts, which can make accounts appear to have more reach than they actually do. Behind the artificial numbers: a click farm operation that boosted performances by using tens of thousands of fake IG accounts. 
2020/12/09 14:54
Some influencers use click farms in an effort to boost their popularity on social media, which might help them win sponsorship deals or other promotional opportunities. It's unclear how widespread the practice is, but cybersecurity firm Cheq said last year that advertisers wasted an estimated $1.3 billion on ads and sponsored posts that were displayed to bots and fake accounts. The bogus engagement brings a level of fakery to the world of influencers that's worth remembering the next time you scroll through the enviable lives of social media personalities.
2020/12/09 14:54
Rotem and Locar called the operation sophisticated, even though the scammers committed a basic security blunder by not setting a password on their cloud database. Aside from that misstep, the criminals covered their tracks to avoid Instagram noticing the accounts were coordinated, and added new accounts as Instagram found and deactivated previous fake accounts. Facebook, which owns Instagram, has automated systems to detect fake accounts on Instagram, and can identify and deactivate them within hours.
2020/12/09 14:54
In addition to misleading sponsors and advertisers, buying fake engagement violates Instagram's terms of service. In 2019, Facebook sued a company in New Zealand for fraud after it allegedly sold likes and followers.
2020/12/09 14:54