Facebook, Instagram, TikTok, en Twitter this week, everyone has taken steps to curb users involved in hijacking user accounts on their platforms. The coordinated action seized hundreds of accounts that, according to the companies, played an important role in facilitating trade and often profitable resale of compromised, highly sought-after usernames.
In the middle of the account ban wave are some of the most active members of OGUsers, a forum that caters to thousands of people selling access to hijacked social media and other online accounts.
In particular, this community appreciates short usernames, which can often be resold for thousands of dollars to those who want to claim a preferred name.
Facebook told KrebsOnSecurity it had seized hundreds of accounts – mostly on Instagram – that had been stolen from legitimate users through various intimidation and harassment tactics, including burglary, coercion, extortion, sex, SIM exchanges and swatting.
THE MIDDLE MEMBERS
Facebook said it has targeted a number of accounts linked to key sellers at OGUsers, as well as those advertising the ability to advertise stolen account sales.
Like most cybercrime forums, OGUsers are inundated with shady characters who are primarily there to snatch other members. Consequently, some of the most popular residents of the community are those who have gained a reputation as reliable ‘mediators’.
These core members provide surety services that, in exchange for a reduction in the total transaction cost (usually five percent), will keep the buyer’s funds until he is satisfied that the seller needs the credentials and access to the email account to buy the hijacked control. social media account.
One of the most active accounts targeted on this week’s social network is, for example, the Instagram profile “Rely, “Who describes himself as a professional middleman / escrow since 2014. ‘
Trusted’s profile contains several screenshots of his OGUsers persona, “Beam”, which warns members about an increase in the number of new OGUsers profiles posing him and other mediators on the forum. Beam currently has more reputation points or “evidence” than almost everyone on the forum except for current and former site administrators.
The now banned Instagram account for the middleman @ trust / beam.
It is useful that OGUsers have been hacked several times over the years, and the database of user details and private messages has been posted on competing crime forums. According to the databases, Beam was only the 12th user account created in 2014 on OGUsers.
In his posts, Beam says he has mediated well north of 10,000 transactions. Indeed, the leaked OGUsers databases – which contain private messages on the forum before June 2020 – provide a small window into the overall value of the hijacked social media account industry.
In each of Beam’s direct messages to other members who appointed him as a middleman, he would include the address of the bitcoin wallet to which the buyer would send the funds. Only two of the bitcoin wallets that Beam has used for middle crew over the past few years have recorded more than 6,700 transactions, with more than 243 bitcoins – or about $ 8.5 million at today’s valuation (~ $ 35,000 per coin). Beam would have earned about $ 425,000 in commissions.
Beam, a Canadian whose real name is Noah Hawkins, declined to be questioned earlier this week. But his “Trusted” account on Instagram was taken down by Facebook today, just like ‘@Killer’, a personal Instagram account he used under the nickname ‘noah / beam’. Beam’s Twitter Account – @NH – has been deactivated by Twitter; it was hacked and stolen from its original owner in 2014.
Reached for comment, Twitter confirmed that it had worked with Facebook to seize accounts linked to top members of OGUsers, citing the platform manipulation and spam policy. Twitter said its investigation into the people behind these accounts continues.
TikTok confirmed that it also took action to link accounts linked to the best OGUusers members, although it did not say how many accounts were recovered.
“As part of our ongoing work to find and stop fraudulent behavior, we have recently recovered a number of TikTok usernames used to squat accounts,” TikTok said in a written statement. “We will continue to focus on the ever-evolving tactics of bad actors, including collaborating with third parties and others in the industry.”
‘SOCIAL MEDIA SPECIALISTS’
Other key intermediaries who mediated thousands of other social media account transactions via OGU users who were part of this week’s ban wave include Farzad (OGUser # 81), who used the Instagram accounts @middleman and @frzd; and @rl, or “Amplifier, ”An important middleman and account seller on OGUusers.
Obviously, the top middlemen in the OGUsers community get a lot of their business from sellers of compromised social media and online gaming accounts, and these two groups tend to cross paths with each other. Among the top-seller accounts targeted in the ban wave was the Instagram account to which it belonged. Ryan Zanelli (@zanelli), a 22-year-old self-described ‘social marketing specialist’ from Melbourne, Australia.
The leaked OGusers databases indicate that Zanelli is better known among the OGusers community as “Pronunciation, ”The fifth profile created on the forum and a longtime administrator of the site.
Zanelli was reached via Telegram and admitted that he was an administrator of OGUsers, but denied that he was involved in anything illegal.
“I am an early addition to the forum, yes, just like many members, and no property I sell on social media is hacked or acquired illegally,” he said. “If you want the truth, I do not even own one of the shares, but resell it to people who do.”
This is not the first time Instagram has come to its accounts: As in this story in The atlantic ocean, some of its accounts of a total of more than 1 million followers were posted in late 2018 when the platform took down 500 usernames stolen, resold and used to post memes.
“It’s my full – time income, so it’s very detrimental to my livelihood,” Zanelli told The Atlantic, identifying him only by his first name. “I tried to eat dinner and hang out with my family, but I knew behind the scenes that everything I built, my entire net worth, was before my eyes.”
Another top-selling account targeted in the ban wave was the Instagram account @ h4ck, whose Telegram sales channel also advertises various services to ban and ban certain accounts on various platforms, including Snapchat and Instagram.
Pieces of the Telegram sales channel for @ h4ck, one of the Instagram handles seized by Facebook today.
Facebook said this is hardly the first time it has recovered accounts with hijackers, but this is the first time it has been done in public. The company says it has no illusions that this latest enforcement action will stop the unbridled problem of resale account hijacking, but sees the effort as part of an ongoing strategy to increase costs for account traders and to train potential. account buyers about the damage done to people whose accounts have been hijacked.
In recognition of the scale of the problem, Instagram today unveiled a new feature called ‘Recently Deleted’, which aims to help victims undo the damage caused by an account takeover.
“We know that hackers sometimes delete content when they gain access to an account, and so far people have had no way to easily get their photos and videos back,” Instagram explained in a blog post. “From today, we will ask people to first verify that they are the rightful account holders when they permanently delete or delete recently deleted content.”
Facebook does not exaggerate the use of extortion by the hijacker community and other serious threats to gain control over valuable usernames. I wish I could get back the many hours I read to private messages from the OGUsers community, but it is certainly not uncommon for targets to be threatened with attacks, or for their deeply personal and / or financial information to be posted online, unless they renounce it. control over a desired account.
WHAT YOU CAN DO
Any accounts you value must be secured with a unique and strong password, as well as the most robust form of multi-factor authentication available. Normally, it’s a mobile app that generates one-time code, but some sites like Twitter and Facebook now support even more robust options – such as physical security keys.
Avoid, if possible, receiving the second factor via text message or automated phone calls, as these methods tend to be compromised by SIM exchange – a crime common among people who steal social media accounts. SIM exchange involves convincing mobile phone employees to transfer ownership of the target’s phone number to a device that controls the attackers.
These precautions are even more important for any email accounts you have. Log in to any service online, and you will surely need to provide an email address. In almost all cases, the person controlling the address can reset the password of any associated services or accounts – only by requesting an email to reset the password. Unfortunately, many email providers still allow users to reset their account passwords by sending a link to the phone number available for the account.
Most online services require users to provide a mobile phone number when setting up the account, but do not require the number to remain linked to the account after it has been set up. I encourage readers to remove their phone numbers from accounts where possible and use a mobile app to generate any one-time codes for multifactor authentication.
Tags: @ H4CK, @ Trusted, Beam, extortion, Facebook, Instagram, Noah Hawkins, ogusers, Ryan Zanelli, sextortion, SIM exchange, SWATting, Tiktok, twitter
This entry was posted on Thursday, February 4th, 2021 at 1:02 pm and is filed under Ne’er-Do-Well News, The Coming Storm, Web Fraud 2.0. You can follow any comments on this entry through the RSS 2.0 feed. You can go to the end and leave a comment. Ping is currently not allowed.