Have Hackers Been Using Your Favorite Celebrity To Spread Malware?

Aliza VigdermanGabe TurnerChief Editor
Last Updated on Nov 20, 2020

When celebrities like Kim Kardashian, Justin Bieber or Rihanna post to social media, they’re immediately bombarded with comments. Taylor Swift can rack up thousands of comments and likes in just a few minutes. But what’s lurking in those comments could be making the world less secure.

Analysis of a new malware program by ESET found that some malware is using Instagram comments as a way to phone home. The Turla malware was looking at a specific comment on Britney Spears’ Instagram account for directions on how to spread.

See, malware is often made to be as small as possible, allowing it to quickly be installed whenever a weakness is exploited. To keep the size down, most malware reaches out to a server for further instructions once it’s installed on the target systems.

However, by monitoring installed software for links to suspicious sites, smart software can keep malware from doing any damage. But Turla doesn’t point anywhere suspicious. Instead, it points to an innocuous Instagram post.

There, the malware is supposed to look for a comment with a specific hash value — basically, a comment that, when run through an algorithm, results in a specific value. The comment, which reads “#2hot make loved to her, uupss #Hot #X”, doesn’t look too out of place on a celebrity post.

But that “uupss” and the “#X” help the string of character reach the right hash value. Once it has the right hash value, it runs the comment through another algorithm that results in a URL, which then lets the malware connect with a server under the hacker’s control.

The genius of this malware attack is that by using a celebrity account, it is able to hide directions in plain sight.

So many people comment on a post that no one is going through and blocking or reporting suspicious activity. That means one Instagram account can post on multiple celebrity statuses with directions for various forms of attacks. Plus, navigating to Instagram isn’t going to alert any malware-spotting software.

Private citizens don’t have much to worry about here though. The URL this attack pointed to only received 17 clicks since the comment was posted, and the Turla attack was mostly aimed at embassy workers. And now that the attack vector is known, anti-malware programs will be on the lookout for similar attacks to keep users safe.