With the help of security expert Matthijs Koot, NOS (1) gained access to the systems of a phishing gang. For three weeks, NOS followed the gang from Nigeria, identifying 3,200 victims who lost their Instagram Facebook, Twitter or email accounts.
One-third of the victims were from the Netherlands. The total number of victims of the gang is probably larger.
The gang has a total of 128 phishing websites, 24 of which are currently being actively used. Victims receive a message from a connection asking them to participate in an election.
Those who click on it then have to log into a fake page. This way, the criminals can hijack the victim's account and send the victim's friends the same message.
It is unclear what happens next with the cracked accounts. According to Koot, the accounts could be used for cryptoscams, bank fraud or influencing elections by spreading disinformation, among other things.
According to NIS, the group is not very sophisticated. The group's technical expertise is limited and they are armed with nothing more than an iPhone. This shows that relatively simple tricks are still enough to hack accounts, despite measures taken by tech companies like Meta.
Also, the scammers' website did not appear to be properly secured. This allowed the NOS to easily break into the system and trace IP addresses of the perpetrators.
Meta, the parent company of Facebook and Instagram, informed NIS that it invests heavily in its security systems. However, the company could not answer the question of why phishing can still be so easy. However, the company does indicate that scammers are constantly trying to bypass detection mechanisms.
These simple tricks have a big impact on victims. They see that the account has been taken over and there is often little they can do about it. Indeed, regaining access to the hijacked accounts proves very difficult. "Instagram doesn't help you at all! The help desk didn't want to help me too much either, because they were afraid I was the hacker. The upside-down world!", says one of the victims.
Phishing is a form of online fraud in which hackers manage to retrieve your login information. Via email, text message or app, the victim is asked to log in to a website, which later turns out to be fake. Social engineering is often used to trap victims with psychological manipulation.
To protect yourself from phishing, you can do the following things:
Never just click on a link in an email or message. Check the sender and the link before you click.
Use a spam filter to keep out phishing emails. By doing so, you reduce the chances of falling for it.
Set up two-stage authentication on all your accounts. Even if your login credentials get into the wrong hands, criminals still won't have access to your account.
Use a VPN to encrypt your data. That way, hackers cannot intercept your data on a public Wi-Fi network, for example. However, a VPN offers no protection if you enter your data yourself on a phishing website.
Use antivirus software to protect your computer from malware. After all, you can also get malware through a phishing email.
(1) https://nos.nl/artikel/2518932-instagram-en-facebook-nog-steeds-niet-opgewassen-tegen-simpele-phishing
