The Spears photo with the malicious comment outlined in red.
Turla—a Russian hacker group that has previously attacked government sites, firms, diplomats and embassies—targeted Brittany Spears’ Instagram account earlier this year.
A study by Czechoslovakian IT company ESET Security found, hidden in the 7,000 comments on a photo of Spears, a code designed to link up with malware disguised as a Firefox security extension.
The comment is, on its face, fairly unremarkable, reading “#2hot makes love to her, uupss #Hot #X.” Most would dismiss it as spam, but it’s actually the numbers required to link up with the virus’ — disguised in Firefox— control centre and transit vital information about the user’s computer to hackers, Engadget reports.
When the malware detected the above comment, it generated a URL link. The link allows the malware to connect to its control centre and send it information about the compromised system, ESET says.
The URL produced by the comment, ESET notes, has been used in the past for “watering hole,” attacks by Turla. Watering hole attacks take their name from animals waiting by water for the perfect opportunity to attack unsuspecting prey, just as hackers use these URLs to pounce on unsuspecting users. ESET says Turla is known for using these generated links “to redirect potentially interesting victims to their C&C infrastructure.”
ESET found only 17 people were hit by the watering hole attack on the Spears post. From this, ESET determined the attack was most likely just a test run.
The use of social media to spread the attack makes it especially difficult to defend against because there are so many comments, it’s hard to detect malicious ones from the usual drivel. It also allows hackers to change its command address and erase traces of previous addresses.
The malware disguised as a FireFox extension spread through compromised, unnamed, Swiss cyber security software. The software asked users to install the malicious extension, which acts as a backdoor that allows remote access to the computer. The extension can download files to the user’s computer, steal files, send a file listing with sizes and dates back to the hackers and activate a file, all from a remote location and without the owner’s permission.
ESET says this kind of attack was previously used by hacker groups like the MiniDuke attackers who targeted NATO in 2013.