In recent months, Symantec Security Response has observed a steady influx of fake profiles on the social photo-sharing service Instagram. These fake profiles, which use photographs stolen from legitimate profiles, feature three variations to follow users and like photos. Through these interactions, they lure users to their profiles in order to earn a commission through affiliate links to adult dating websites.
Influx of fake profiles
Sometime in November 2015, users posting photos to Instagram began noticing likes and follows from unknown users.
Figure 1. Fake profiles on Instagram follow users and like photos
Three profile variations
Among these profiles, we have observed at least three variations.
Profiles in the first variation have a stolen avatar photograph, but no actual photos on their profile page. Their bio may or may not contain some information, but they will have a link leading to an adult dating website.
Figure 2. Profile variation number one contains no photos, just a link in the profile bio
Profiles in the second variation contain a stolen avatar and corresponding stolen photographs. They contain some suggestive text in the bio (“Are you a sex giant? I wait you here!” “If you’re down to meet and hook up with singles near you, check out the link below”), along with a link leading to an adult dating site.
Figure 3. Profile variation number two features stolen photographs
In the third variation, the profiles serve as an intermediary. They contain a single photograph split into tiles to form the full photograph. They overlay a button with the caption “18+” that is strategically placed on various body parts. Clicking on any of the images in the tile will reveal a note instructing the visitor to go to the “official profile” which is linked. This final profile contains a random assortment of images of women in bikinis and lingerie. The bio claims that the visitor could have an erotic meeting if they visit the link in the profile.
Figure 4. Profile variation number three directs users to another profile
Adult dating landing pages
In each of the profile variations, the links lead users to a landing page for an adult dating website. The links themselves may direct the user to the website and include an affiliate ID, or they will direct the user to a page that serves as an intermediary to the actual adult dating websites.
Figure 5. Adult dating website landing pages
Affiliate programs are the driving force behind adult dating and webcam spam on various dating and social networking applications. Unlike previous examples that we have identified, the fake profiles on Instagram are not bots; they won’t converse with users through the Instagram Direct feature.
Based on a few of the fake profiles, we believe that most of the photographs used were taken from real profiles of popular Instagram users. For instance, one of the fake profiles stole photographs from Julia Pushman, a model and YouTube vlogger.
Figure 6. Original photo (left) stolen and used on a fake profile (right)
Report fake profiles to Instagram
With over 400 million monthly active users, Instagram is one of the most popular mobile applications. It comes as no surprise that the service has also become popular with scammers. Instagram users should be skeptical of unsolicited likes or follows from fake profiles. If you believe you have encountered a fake profile, you should report it to Instagram as spam.