Have Hackers Been Using Your Favorite Celebrity To Spread Malware?

By
&
Aliza Vigderman
Gabe TurnerChief Editor
Last Updated on Aug 5, 2021
By Aliza Vigderman & Gabe Turner on Aug 5, 2021

When celebrities like Kim Kardashian, Justin Bieber or Rihanna post to social media, they’re immediately bombarded with comments. Unlike us, Taylor Swift can rack up thousands of comments and likes in just a few minutes. But what’s lurking in those comments could be making the world less secure. Analysis of a new malware program by ESET found that some malware is using Instagram comments as a way to phone home.1

How Does Malware Spread?

The Turla malware, for example, was looking at a specific comment on Britney Spears’ Instagram account for directions on how to spread. See, malware is often made to be as small as possible, allowing it to quickly be installed whenever a weakness is exploited. To keep the size down, most malware reaches out to a server for further instructions once it’s installed on the target systems. However, by monitoring installed software for links to suspicious sites, smart software can keep malware from doing any damage. But Turla doesn’t point anywhere suspicious. Instead, it points to an innocuous Instagram post2 from none other than the Princess of Pop herself.

On Britney’s Instagram post, the malware is supposed to look for a comment with a specific hash value; basically, a comment that, when run through an algorithm, results in a specific value. The comment, which reads “#2hot make loved to her, uupss #Hot #X”, doesn’t look too out of place on a celebrity post. But that “uupss” and the “#X” help the string of characters reach the right hash value. Once it has the right hash value, it runs the comment through another algorithm that results in a URL, which then lets the malware connect with a server under the hacker’s control. The genius of this malware attack is that by using a celebrity account, it is able to hide directions in plain sight.

So many people comment on a post that no one is going through and blocking or reporting suspicious activity on. That means that one Instagram account can post on multiple celebrity statuses with directions for various forms of attacks. Plus, navigating to Instagram isn’t going to alert any malware-spotting software, making the photo-sharing app an ideal place to spread malware.

Should You Be Worried?

Private citizens don’t have much to worry about with the Turla attack specifically. The URL this attack pointed to only received 17 clicks since the comment was posted, and the attack was mostly aimed at embassy workers. And now that the attack vector is known, anti-malware programs will be on the lookout for similar attacks to keep users safe.

That being said, other types of malware can affect anyone with the Internet, which is why we recommend implementing antivirus software across all of your devices. Using regularly updated databases of the latest viruses and malware, antivirus software scans your devices for suspicious behaviors. If the software finds malware or a virus, they will quarantine the affected files in folders where they can’t damage the rest of your device. Of course, not all malware is spread through celebrity Instagram posts; some is spread through emails, websites, attachments, and the like. To prevent cyber attacks from malware and beyond, read our digital security guide, where we go over the best practices for keeping your devices (and by extension, you personally identifiable information) safe.

Citations
  1. ESET. (2017). Turla’s watering hole campaign: An updated Firefox extension abusing Instagram.
    welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/

  2. Instagram. (2020). Britney Spears.
    instagram.com/p/BO8gU41A45g/