Click farm for Instagram fraud uncovered

[German]Security researchers from vpnMentor have uncovered an extensive click farm that was used for scams on Instagram. The click-farm operates through several 10,000 fake accounts on Instagram. The scam affects users worldwide.


Background: Click farms The security researchers sent me the information in advance. Security researchers from vpnMentor, led by Noam Rotem and Ran Locar, recently uncovered a huge illegal Instagram click farm, located somewhere in Central Asia and operating worldwide.

Background: Click farms

Very little is known about the world of click farms and how they work. Click farms are often paid by individuals or companies to inflate their followers on social media platforms and their commitment. The people who hire click farms then use this to take advantage of sponsor contributions and other forms of income from the app.

Click farms are typically located in developing countries with little or no data regulation, oversight or enforcement of fraud claims. The idea is to automatically click on advertisements to generate revenue – which of course is fraud. In the current case, the backers created 1,000 fake accounts to scour Instagram.

In this specific case, the fraudsters deal with posts and profiles on Instagram and click on paid advertising from their customers' accounts. In this way, they can inflate the followers of a person who is a customer on the click farm and help them generate income through advertising or sponsored posts in the Instagram app.

In this way, they defraud any company or third party they pay for advertising or sponsorship based on followers or engagement on a platform. Click farms are also used to spread fake messages and misinformation. There is ample evidence that this is already a widespread practice and a popular form of election rigging, manipulation and indirect attack on rivals by governments like Russia, China, Iran and their allies.


Automated processes

Security researchers believe that the people behind this click farm have created a highly automated process to manage Instagram's 10,000 proxy profiles in countries around the world without requiring much individual human input. While much of this discovery remains a mystery, the click farm has clearly been very successful.

How the scam worked

The click farm appears to be operated by a sophisticated operation that has built a highly automated process to create 10,000 fake proxy accounts on Instagram. Each account had its own avatar, biography and "persona" that seemed to come to Instagram from all over the world.

Each fake account could then post posts, view, track, react and interact with Instagram profiles of others. The click farm also used proxy servers and IP addresses to hide their activities. Usually, platforms would notice something like this. If 10,000 new users from a small town in rural Kazakhstan signed up to Instagram and behaved almost identically, they would quickly be marked as spam. To work around this, each fake profile was matched with an IP address in a country that matched its "persona".

What was discovered?

The security researchers of vpnMentor use port scanning technology to examine specific IP blocks and test different systems for vulnerabilities or weaknesses. They also examine each vulnerability for unsecured data that can be accessed there.

The research team thus discovered a command and control server on September 21, 2020, which seemed to be the hub for the entire operation. The server contained the data of 10,000 Instagram profiles and actions for 'fake people' who were active on Instagram. The scammers used an unsecured Elasticsearch database to store the data. The security team was then able to access the Clickfarm's database as it was completely unsecured and unencrypted. The security researchers were able to view the data. The server had stored the following data:

  • Instagram usernames and passwords
  • Proxy IP addresses for each account
  • email address associated with Instagram accounts
  • SMS verification codes
  • Telephone numbers used in the operations

Click farm data
Click farm data

By storing all this data on a single server, the operation of the click farm was completely centralized and controlled by a single unit. This centralized model allowed everyone who worked for the farm to log into an account that seemed to be located anywhere in the world and immediately begin various actions.

To run the click farm, the scammers also needed 1,000 local SIM cards to obtain verification codes to join Instagram through a new account each time. Security researchers believe that this operation was carried out from Central Asia. Many of the server's real IP addresses are from Kazakhstan and Armenia, as are the mobile operators who received SMS verification messages from Instagram.

Facebook take actions

Click farms and other forms of fraud and misinformation are widespread on Instagram, Facebook and other popular social networks. This is a problem that companies have been struggling with for years.

Facebook and Instagram can quickly remove the click farm accounts from the Instagram app. But this leads to the backers simply creating more, new Instagram accounts. Instagram users can report any accounts or activities that they suspect are spam or operate under false pretenses for removal.

Deutsche Instagram-Konten
German Instagram accounts

The vpnMentor team then contacted Facebook to inform them about the fraud and how many people were affected. On September 22, 2020, the database server was secured, apparently the people behind it noticed something when massive instagram accounts were closed. The full report should be available on this website at vpnMentor when this blog post is published.

The vpnMentor research lab is the world's largest pro bono service that scans the Internet for privacy violations and is committed to fighting cyber threats. The security research team has discovered and disclosed some of the most serious data breaches of recent years. These included a scam targeting Spotify and its users. The researchers also uncovered a massive data leak that exposed how a group of free VPN operators were recording the activities of their users. 

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *