Leaky Elasticsearch Server Reveals Massive Instagram Click Farm

Written by

Security researchers have uncovered a massive Instagram click farm in central Asia, operating tens of thousands of fake profiles.

A team at vpnMentor found the operation thanks to a completely unsecured Elasticsearch database it was using, connected to the public-facing internet.

“The click farm appears to be run by a sophisticated operation that has built a highly automated process to create tens of thousands of fake proxy accounts on Instagram. Each account had its own avatar, bio and ‘persona,’ appearing to join Instagram from all over the world,” said vpnMentor.

“Each fake account would then publish posts, view others’ posts, follow, react and engage with profiles. The click farm was also using proxy servers and IP addresses to hide its activity.”

Operated from either Armenia or Kazakhstan, this C&C server contained usernames, passwords, proxy IP addresses and email addresses for the fake accounts, as well as related SMS verification codes and phone numbers.

The researchers tied the operation back to central Asia as many of the IP addresses and mobile phone numbers used to authenticate and run the fake accounts were from Armenia and Kazakhstan.

“Click farms are often paid by individuals or companies to inflate their followers and engagement. The people hiring click farms then use this to leverage sponsorship posts and other forms of income from the app. In doing so, they’re defrauding any company or third party that pays them based on followers and engagement,” explained vpnMentor.

“Click farms are also used to spread fake news and misinformation. There is plenty of evidence that this is already a widespread practice and a popular form of election interference, manipulation and indirect attack on rivals by governments like Russia, China, Iran and their allies.”

After notifying Facebook about the server on September 21, it was shut down the following day.

What’s hot on Infosecurity Magazine?