My friends instagram account has only ~2,000 followers, so not even a huge amount, and her email and password was reset about 6pm to a gmail account, and by midnight the account had already posted deep-faked AI videos of her promoting cryptocurrency scams.
The deepfake videos are very realistic too, if I hadn't know her better or know about the hacking it would be very easy to believe it was real...
It's possible they deep-faked her videos ahead of time but it seems like something you'd only spend resources on only if you knew the attack was successful.
And there doesn't seem to be that much news or content online about this happening or it seems very targeted... but for such an account with such a small following it seems like it must be quite widespread problem.
Have you had this happen to someone you know personally and what do you think about how prepared we are to deal with scams this sophisticated or what effect they might have?
I have a 3 letter instagram name and the amount of spam and attacks I get is insane... I get hundreds of password reset emails from instagram daily and constant DMs and follow requests from scammer and bot accounts.
I've tried contacting instagram about it several times but they never respond. Had to blackhole emails from security@mail.instagram.com to prevent my mail server filling up.
[0]: https://simon.medium.com/mobile-twitter-hacked-please-help-2...
I've noticed that the reset attempts seem to come in waves. I haven't charted it, but sometimes I'll get somewhere between 20-30 reset attempts in 24 hours, and at other times, I won't get any reset attempts for a full week or so. The whole thing is very bizarre.
I don't share my daily email with websites but for whatever reason I used it with this Instagram account. It's the only spam I get at this point. 20 email resets per day!! It can't be hard to fix that
The moment you create something that can be used to upload any type of content, some people will exploit it.
Tech companies seem to invest far less into customer service, make it impossible to get on the phone with someone, resolve issues in a sane way, etc.
1. networks where global reach to total strangers is not even possible, or at least is not the default. the vast majority of people only really want to reach their “friends of friends” anyway. this eliminates a lot of would-be hackers from even knowing you exist.
2. accounts that are unhackable because users log in with private keys instead of user/pass that sit on a server. of course losing your private key is a problem, but i would suggest a system of social-account recovery anyway where you can regain access by 3 out of 5 friends approving, for example.
There's nothing magical about private keys that prevents them from being lost or stolen.
The average person doesn't want to manage private key files. The average person wants to be able to recover their account if they forget or lose their password. Moving to private keys isn't a realistic solution for logins for the average person.
The average user isn't even aware of the potential option of the key file.
I think the popularity of password managers shows that users preferences are opposite to what you say. The user wants the machine to store the secrets rather than memorize and type them.
Recovery mechanisms is a separate issue from whether you use passwords or key files.
That’s why i mentioned Social Account Recovery. There are solutions to improve general UX of key management.
i think the concept of followers shows that your premise isn't exactly true and people with more followers than just family, friends, and friends of friends is also another clue.
what are you looking for from me? i’ll try to perform better for you next time lol.
Oh and it was given to one of mr beasts (from YouTube) helpers…
Are you sure the account and username were given and not just the username?
I have old password reset emails and probably some screen shots somewhere
I can't say I have too much advice other than to always use strong passwords, don't share passwords across sites, use VPNs on public routers, and stay away from posting videos of yourself on cancerous engagement metric-driven social media.
Many people aren't fans of Insta/FB but they need to use it for reaching their audience.
Collective action needs to be legislative or legal in order to actually change things.
[1] https://www.ipr.northwestern.edu/news/2017/king-corporate-bo...
I think it's you, because I see criticism levied against TikTok here all the time.
I feel we're just reaping the reward of our vacuity.
Edit: Better link from deadmutex below - https://www.youtube.com/watch?v=vqr0oER03SE
https://www.wfla.com/8-on-your-side/better-call-behnken/inst...
The video quality is too good. The lighting and movements lack mistakes. It can't be first order model, wav2lip, or any of the relatively new audio to video models.
The audio doesn't suffer from spectral noise, and it matches the lip movements close enough to not be TTS. Voice conversion (VC) introduces pitch issues that are readily apparent, and it's incredibly hard to train VC models without a ton of parallel audio data from source and target speakers.
This is absolutely a lie (not a deepfake) and I'd bet money on it.
[1] I created https://fakeyou.com cartoon and celebrity TTS, real time voice to voice mapping for VTubers, and am currently working on ML blendshapes.
Really messed up stuff.
Also, chances are that if you can convincingly create deepfakes in general you can (deep)fake a picture of an id to a degree it will be accepted by OnlyFans and other services, especially if these ids are from places the staff might not be entirely familiar with. Do you know for example what a Columbian or Polish or Turkish or Cambodian id should look like and what security features that you could see on a mere picture of it should be present, if there are even such features?
I've seen such id fakes done in practice, though that wasn't related to OnlyFans. That's why when I was in a position where I sometimes had to verify identities, I would not accept pictures of ids, I would ask for a "proof-of-life"/"timestamp" style pictures you see commonly used on pseudonymous sites like reddit or 4chan to establish authenticity of a poster. Those are not impossible to fake, but a lot harder, especially if you limit the time in which the other party can respond.
I don't know if OnlyFans adopted such a method of verification by now, but I know they used to accept just ids.
I also online-know a guy who says he used to run an OnlyFans scam where he would seek out underrated accounts, steal their content and republish it under his own accounts. That obviously required he create a lot of verified accounts with valid ways to pay out, of course. He never went into details on that. He could be lying about the thing, but when it came to other things he claimed over the years, a lot of it was verifiable true, so I don't know.
You can also buy verified OnlyFans accounts on the black market (hacked usually) or compromise accounts yourself. A lot of OnlyFans accounts are completely inactive, abandoned by the original owners, so they will probably not even notice if it gets taken. From there you can replace all the account content as you please, and I believe in the case of OnlyFans even change the user name and probably update the payout method and information as well.
As for banking information... that's harder, but there are probably some ways left. The question is if the OnlyFans account in this case was even made for financial gain, or just to cause humiliation, in which case subscriptions might have been free or the money might have never been collected by whoever created the account.
Have owned it since Instagram launched and it was connected to my Facebook account which I've had since 2005 or so.
There is no hope with contacting Instagram/Facebook support.
Crypto lockers, pump-and-dump schemes, scams, hacking processing power for mining, burning fuels to power even the most legitimate uses.
Cryptocurrency will go down in history as the most regrettable invention since leaded gas.
https://www.vice.com/en/article/93bw9z/bitcoin-scam-hostage-...
If this really happened, there must be some easy to use public tool they used. I'd really love to see the video.
¹ There's no way anyone else would log into a stolen account from a Nigerian IP.
I wonder if they had a list of account credentials, tested to find ones that worked without changing anything after verifying they were legit, and then once they had the content ready took over the account to ensure the work they had done was live for as long as possible..
Presuming much of the media creation is automated, they could also have run the process once the gmail account was owned.
Testing auth from unexpected locations in advance seems like an easy way to get noticed.
>Testing auth from unexpected locations in advance seems like an easy way to get noticed.
How many times we've received emails from online accounts notifying about login attempts? They are usually phishing attempts, but it occurs enough that most people don't believe the legitimate emails.
edit: also there was an instance in the past where my account got disabled and it took me months to get my account get reactivated again. the first issue is that they have a huge backlog of other people they are assisting. so you need to find a way around that
If that is true, that is a deep cut against their account security.
Plus the usual phishing.
so tik tok and instagram and even phones themselves apply skin-smoothing filters by default, guess what, that makes it harder to distinguish deepfaked videos from just heavily filtered genuine videos
I dont know how to convince people to be less bot-like, but social media is making it easy on these scammers by making beautification filters the norm
Essentially it's social engineering via a face scan app.
You can see an example of a possible scammer here https://www.instagram.com/sashana_walter/
"My friend is into crypto sh$t and he messaged me saying to check out his story (already weird but whatever) and he posted that this lady turned his $500 into $8500. It was a legit video of him speaking, walking down the street. Anyway I messaged the chick and she told me to download this app and I signed up and it made me scan my ID and my face which I thought was wack again but trusted my buddy… So i end up sending this chick $200 in bitcoin like a f%c^in idiot, but then shes trying to say I need to send another $300 to be able to actually ‘process’ and I was like uhhhh nope? Now ‘she’ is trying to get me to do some two factor authentication confirmation code shit to ‘get my payout’. What I think is going on is they got into my friends account and made a deepfake from the face scan and started DMing other people. "
The same thing happened to someone I know, but they were basically forced to post the requested videos as ransom.
It also happened to a skateboarder, and many people claimed deep fake when it wasn’t. [0]
Not saying it’s not, just raising the question.
Slightly more specifically, why should any stranger care if the charismatic "with-it" personality says anything in particular?
It's all BS, stories, that the world is telling to us. We can be just fine if we keep our heads down, and do what's expected of us.
Not Rhetorically:
"Trust" has never been guaranteed. It's partly an emotional experience.
So as technologists, how shall we pool our tools, to Augment Humanity? Why do we have emotion enhancing technology for everything but trust (rhetorically, because we have many)? Why would we Want Trust?
I'd personally love Digitally Signed video, proving mathematically it derives from a Genuine Work from the taking head in the video. Because I trust myself and need solid facts to continue doing so.
I need more reliable facts.
Nothing to be done. Just wanted to post nice landscape photos of the place I biked too.
I logged in, it requested my number and they just cold say "we'll contact you" and nothing.
Just speculation though.
