Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Blog da Tenable

Inscrever-se

Bots de pornografia no Instagram evoluem métodos de venda de spam de relacionamento para adultos

Incentivized by affiliate programs, scammers are evolving how they utilize fake Instagram accounts to target users on the popular social media platform.

As social networking services rose to prominence in the early part of this century, the services themselves and all manner of other businesses saw the revenue potential that came with targeted advertisements tailored to individual interests. At the same time, scammers, who until this point had relied on email as their vehicle to promote adult dating and webcam-based scams, were quick to capitalize on the burgeoning platforms — albeit in shadier ways — in order to earn money from affiliate sign-ups. 

In the years since, an entire cottage industry of scammers has cropped up, using bots to redirect social media users to fake accounts in order to game the lead-generation system. Indeed, since 2016, Instagram users have been subjected to a variety of scammers peddling adult dating and webcam spam via porn bots. The activities of the porn bots range from simply following Instagram account holders to liking and commenting on their photos to, more recently, exchanging direct messages with them. 

To its credit, Instagram — which attained 1 billion monthly active users (MAU) in 2018 — has worked to try to thwart the efforts of the operators of these porn bot accounts, but, as you can imagine, it is a cat-and-mouse game. As someone who has been researching this space for many years, the cat-and-mouse game fascinates me. This post aims to highlight some of the notable trends I’ve recently observed with Instagram porn bots, such as the use of intermediary accounts and bots using literary quotes in their photo captions, and discusses the driving force behind their presence as part of my continued effort to educate Instagram users. 

Instagram Porn Bots

Bots de pornografia no Instagram evoluem métodos de venda de spam de relacionamento para adultos

Historically, Instagram porn bots would be self contained, performing activities such as liking photos and following users with a link directly in their bio along with suggestive text, as seen in the example above. These porn bots have made some simple changes, for instance, altering their profile images with Story rings around them to make it seem as though they’ve posted an Instagram story and removing their suggestive text.

Bots de pornografia no Instagram evoluem métodos de venda de spam de relacionamento para adultos

However, in an effort to bypass some of the mechanisms in place to detect this type of activity, porn bot operators began to leverage what I’m referring to as intermediary accounts.

How Porn Bots Use Intermediary Accounts

How Instagram Porn Bots Use Intermediary AccountsHow Instagram Porn Bots Use Intermediary Accounts

In this example, the intermediary account, “kayla” follows a user. Visiting this profile shows there are no photographs on the account. However, the bio contains emojis and the words “My Nude Pics Here” spaced out with periods in-between. The added punctuation is an attempt to bypass some automated measures Instagram may have in place to detect such activity.

The reason this is considered an intermediary account is because it instructs users to visit a different profile. In this case, the “kayla” intermediary account is linking to a “babe” account.

How Instagram Porn Bots Use Intermediary Accounts

Similar to the intermediary account, the “babe” account also doesn’t contain any photos. However, this bio contains no obfuscation of the text, directly stating “All nude pics posted on website, look” with a link to a Bitly-shortened URL.

Not having any sort of activity associated with the “babe” accounts allows it to persist on the service without getting flagged by automated means. Based on intelligence from some of the domains used in the babe campaign, it appears the person behind that particular campaign has been actively pursuing Instagram porn bot spam since at least the middle of 2016. They’ve registered close to 1,300 domains since 2016, registering nearly 100 in the last six months.

Prevalence of “Babe” and Similar Instagram Accounts

There are quite a few similarly named “babe” accounts on Instagram. They all have the phrase “ALL NUDE PICS POSTED ON WEBSITE, LOOK” along with emojis in their bios, but only a handful of accounts have Bitly-shortened URLs as well, indicating these are actively being used. It is unclear if the accounts without Bitly-shortened URLs have been abandoned after they served their purpose or if they are spare accounts ready to be used once the active accounts have been removed by Instagram.

Prevalence of “Babe” and Similar Instagram Accounts

In addition to the “babe” accounts, there are other accounts with a different naming convention that are essentially identical. The same Bitly-shortened URL was used by several  “babe” accounts, as well as an “n_” account, indicating that each batch of accounts was generated by the same person.

Prevalence of “Babe” and Similar Instagram Accounts

Prevalence of “Babe” and Similar Instagram Accounts

Use of “Novel” Porn Bot Accounts

Even as we see an uptick in the use of intermediary accounts, some porn bot accounts on Instagram still follow users directly to capture their attention. I recently observed a new batch of accounts that were slightly different from normal porn bot accounts. These accounts aren’t blank; they typically contain a maximum of three photographs. Their names contain two random emojis, one at the beginning and one at the end. For instance, one account named “Carolyn Jones” has the vulcan salute emoji followed by a smiling face with horns emoji.

Use of “Novel” Porn Bot Accounts

What’s peculiar about the photos on this account is the seemingly random nature of them, which is an intentional effort to thwart suspicion in three ways:

  • Most porn bot accounts would promote sexually suggestive imagery on their profiles. 
  • The woman in the images doesn’t look like the same person. 
  • The absence of any sort of tagline in the bio and no presence of a short URL.

Use of “Novel” Porn Bot Accounts

The random images themselves don’t contain links or any suggestive commentary either. Instead, they include some text that appears to be truncated. In the example above, the image contains a quote from The Count of Monte Cristo by Alexander Dumas.

Similarly, another porn bot account named “Pamela Turner” included another truncated Dumas quote from The Count of Monte Cristo, albeit from a different source.

Use of “Novel” Porn Bot Accounts

Another porn bot account named “Denise Sanders” had very little text on each image, save for one image that included a shorter, truncated quote.

Use of “Novel” Porn Bot Accounts

This account wasn’t quoting any of Dumas’ novels, opting instead to use a truncated quote from George R.R Martin’s famous Game of Thrones novel.

In some respects, these accounts are novel in their approach, and at the same time they also use quotes from novels, which is why I’m referring to these as “Novel Accounts.”

“Conversing” With A Porn Bot in Direct Messages

Since Novel Accounts and other porn bot accounts with nothing in their bios aren’t promoting their adult dating spam in public, they do so privately in direct messages. Following one of these accounts and initiating a conversation leads to "conversations" in broken English, such as this one with “Carolyn Jones” from earlier.

“Conversing” With A Porn Bot in Direct Messages

A similar “conversation” occurred with "Pamela Turner" as well.

“Conversing” With A Porn Bot in Direct Messages

What is interesting about these “conversations” is the delay between responses. The “Carolyn Jones” porn bot account took an hour to respond to the initial message, while the “Pamela Turner” porn bot account took five hours to respond. A subsequent message did not receive a response for nearly 22 hours. The reason for the delay is unclear. It could be a feature in the bot configuration to attempt to evade automated mechanisms looking for bot-related behavior within Instagram Direct Messages.

In both “conversations,” the same domain was used in the initial message with a different name in the path (Alison, Amy) despite their account names being entirely different (Carolyn, Pamela). Interestingly enough, in the latter exchange the second link used a different URL but with the same path (Amy).

One thing to note is that, while these Novel Accounts appear to be unique and may be operated by a single spam operator, engaging with Instagram users via direct messages to peddle spam links isn’t unique.

Fake “Safe” Instagram URL Message

Another Instagram porn bot tactic I’ve observed involves faking an Instagram page that claims a URL has been deemed as safe by Instagram.

Fake “Safe” Instagram URL Message

The porn bot in this case links a user to a website via the short URL service TinyURL. The “Leaving Instagram” page is hosted on a .xyz domain and merely acts as an obfuscation layer to convince the user that the link they’re browsing to is indeed safe.

Non-Mobile Users Redirected to Benign Pages

In some instances, if a link is visited from a computer, users will be redirected to a non-adult themed page. For instance, one of the campaigns I’ve observed while browsing on a desktop will serve up a saved copy of an old article from the Planetary Society that contains broken images and stylesheets.

Non-Mobile Users Redirected to Benign Instagram Pages

Visiting this same link from a mobile device will result in a 302 redirect to the scammer’s intended website. While this might be viewed as an effort to thwart examination by a researcher on a computer, there are ways around it for research purposes. However the real intention behind the redirects is likely to ensure that the “lead” is coming from a mobile device and not a computer, to ensure compliance with the adult dating affiliate program guidelines.

Group Instagram Direct Messaging

Outside of intermediary or Novel Accounts, some scammers opt to take a more direct approach when pushing adult dating spam: send out a group direct message to a large number of users.

Porn bots use Group Instagram Direct Messaging

In the case above, a porn bot account named “Dorothy” added 25 users to an Instagram Direct message chat. According to Instagram, users can add up to 32 users to an Instagram Direct message thread.

While anyone can send an Instagram Direct message to users, they get filtered out into a separate “Message Requests” section. They normally don’t change the group name, but sometimes they name groups like “my very hot  photos” for example.

Porn bots use Group Instagram Direct Messaging

A mass Instagram Direct message from one of these porn bots asks the user if they want to let “Dorothy” message them; the link and image thumbnail aren’t displayed to the recipient.

Porn bots use Group Instagram Direct Messaging

Once the message request is accepted, it reveals a link and thumbnail claiming to direct the user to the pin-up model community site, SuicideGirls.

Porn bots use Group Instagram Direct Messaging

In another example, the porn bots include links claiming to direct users to OnlyFans, a social networking service with a less-restrictive content policy that’s used by models and porn actors to offer content via subscriptions.

Porn bots use Group Instagram Direct Messaging

These links do not lead users to the SuicideGirls or OnlyFans websites after all. Just like the other porn bot accounts above, the links leads to a hookup site intermediary page.

Intermediary Pages for Adult Dating and Webcam Sites

While I’ve noted the presence of Intermediary accounts, Instagram porn bot operators also leverage intermediary sites (referred to as a “prelander” page) designed to serve up varying campaigns to direct users to different adult-themed dating and webcam sites.

Intermediary Pages for Adult Dating and Webcam Sites

Intermediary Pages for Adult Dating and Webcam Sites

The user is asked to fill out a “survey” about their sexual preferences, which leads to the intended adult dating or webcam website. In these instances, they lead to websites called Snapcheat and Sinder, a play on the popular social networking and dating apps Snapchat and Tinder. Included in these URLs are query strings containing parameters about campaign identifiers and, most importantly, affiliate identifiers.

Intermediary Pages for Adult Dating and Webcam Sites

Affiliates and Bots: Like Peanut Butter and Jelly 

As discussed in a VICE piece about the money trail behind Instagram porn bots, the goal of the intermediary pages is to get male Instagram users to sign up for adult dating and webcam services like Snapcheat and Sinder. The services themselves rely on affiliate programs to bring in new users. Affiliate programs are quite common and used by many e-commerce sites. In the world of adult dating and webcam sites, these affiliate programs are not so stringent when it comes to cracking down on fraudulent activity. After all, the goal is to get more users to sign up to their websites.

In most cases, the affiliate can earn a lead by simply convincing the user to sign up to one of these adult dating or adult webcam websites. This is usually defined in the affiliate offers as flow. In most cases, when a user completes the “free user registration” flow, it qualifies as a converted lead, and this is usually worth anywhere between $2 and $5 per lead. 

The Holy Grail of leads is when an affiliate offer includes verbiage like "CC submit," which is when an affiliate can convince the user to submit their credit card to sign up for a service for a free trial. If the user doesn’t cancel the supposedly “free” trial, they are often billed between $40 and $100, which ensures that the affiliate gets a higher payout versus a free user registration lead.

In the case of most Instagram porn bot spam, the affiliates are leveraging free user registration affiliate offers. Therefore, we can surmise that those responsible for Instagram porn bot spam are focused on generating a large quantity of leads via simple sign-ups, versus pursuing the more lucrative offers that require the user to submit a credit card. The latter tactic has a higher barrier to entry which is, therefore, reflected in the affiliate payout amount. Despite the intermediary pages asking users if they are over the age of 18, users are still directed to the adult dating and webcam sites, making it likely that even underage teens are clicking on the links and signing up for the websites.

We reached out to Bitly and Instagram to provide them with information about the scam activity. Bitly confirmed it has suspended the account and removed the URLs generated by the scammer. Instagram did not respond as of the time of this publication. 

Link Activity from Instagram Spam

The URLs used in Instagram porn bot spam can vary between direct links to intermediary sites or short URLs that mask the actual destination URL. Based on the short URL statistical data we were able to obtain from a limited number of campaign activities, the average number of clicks per link is roughly 285. This number is also skewed due to the varying degree of clicks on the link, between nine clicks as the lower bound and over 1,000 clicks as the upper bound.

Bitly provides a breakdown on the clicks for each short URL. For instance, below is a breakdown of one of the of the larger volume short URLs used in one of the “babe” campaigns. 

Link Activity from Instagram Spam

When we pulled the statistics for this particular Bitly link on June 21, it showed over 1,000 clicks, 97% of which originated from Instagram, with a smaller subset coming from Facebook and a more generic bucket.

Link Activity from Instagram Spam

Geographic distribution of interaction with the Bitly link shows it is highly concentrated in the United States, but its reach spreads across 80 locations worldwide.

Conclusão

As long as Instagram has such a high volume of active users, it will continue to be a haven for porn bot scammers. After all, just as advertisers flock to social networking services like Instagram looking to capitalize on all of the eyeballs affixed to their screens, one should expect scammers won’t be far behind.

However, the only thing constant is change, so we anticipate these tactics will deviate over time, as the cat-and-mouse game continues to be played. For these scammers, one particular Dumas quote accurately depicts their efforts: “all human wisdom is summed up in two words; wait and hope.”

Saiba mais:

Artigos relacionados

As notícias de segurança cibernética mais relevantes

Informe seu e-mail e nunca mais perca os alertas oportunos e orientações de segurança dos especialistas da Tenable.

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes.

Sua avaliação do Tenable Vulnerability Management também inclui o Tenable Lumin e o Tenable Web App Scanning.

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

100 ativos

Escolha sua opção de assinatura:

Compre já

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes.

Sua avaliação do Tenable Vulnerability Management também inclui o Tenable Lumin e o Tenable Web App Scanning.

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

100 ativos

Escolha sua opção de assinatura:

Compre já

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes.

Sua avaliação do Tenable Vulnerability Management também inclui o Tenable Lumin e o Tenable Web App Scanning.

Tenable Vulnerability Management

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

100 ativos

Escolha sua opção de assinatura:

Compre já

Experimente o Tenable Web App Scanning

Aproveite o acesso total à nossa mais recente oferta de verificação de aplicações Web, projetada para aplicações modernas, como parte da Plataforma de gerenciamento de exposição Tenable One. Verifique com segurança em busca de vulnerabilidades em todo o seu portfólio on-line com um alto grau de precisão sem grandes esforços manuais ou interrupção de aplicações Web críticas. Inscreva-se agora mesmo.

Sua avaliação do Tenable Web App Scanning também inclui o Tenable Vulnerability Management e o Tenable Lumin.

Comprar o Tenable Web App Scanning

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

5 FQDNs

US$ 3.578,00

Compre já

Avalie o Tenable Lumin

Visualize e explore o gerenciamento de exposição, acompanhe a redução de riscos ao longo do tempo e faça comparações com seus pares por meio do Tenable Lumin.

Sua avaliação do Tenable Lumin também inclui o Tenable Vulnerability Management e o Tenable Web App Scanning.

Compre o Tenable Lumin

Entre em contato com um representante de vendas para ver como o Tenable Lumin pode ajudar você a obter insights em toda a sua organização e gerenciar o risco cibernético.

Experimente o Tenable Nessus Professional gratuitamente

GRATUITO POR POR 7 DIAS

O Tenable Nessus é o verificador de vulnerabilidade mais abrangente do mercado atualmente.

NOVIDADE: Tenable Nessus Expert
Já disponível

O Nessus Expert adiciona ainda mais recursos, incluindo verificação de superfície de ataque externa e a capacidade de adicionar domínios e verificações de infraestrutura em nuvem. Clique aqui para testar o Nessus Expert.

Preencha o formulário abaixo para continuar com uma avaliação do Nessus Pro.

Comprar o Tenable Nessus Professional

O Tenable Nessus é o verificador de vulnerabilidade mais abrangente do mercado atualmente. O Tenable Nessus Professional ajudará a automatizar o processo de verificação de vulnerabilidades, economizar tempo nos ciclos de conformidade e permitir que você envolva sua equipe de TI.

Compre uma licença para vários anos e economize. Inclua o Suporte avançado para ter acesso ao suporte por telefone, pela comunidade e por bate-papo 24 horas por dia, 365 dias por ano.

Selecione sua licença

Compre uma licença para vários anos e economize.

Adicionar suporte e treinamento

Experimente o Tenable Nessus Expert gratuitamente

GRÁTIS POR 7 DIAS

Desenvolvido para a superfície de ataque moderna, o Nessus Expert permite ver mais e proteger sua organização de vulnerabilidades, da TI à nuvem.

Já adquiriu o Tenable Nessus Professional?
Atualize para o Nessus Expert gratuitamente por 7 dias.

Comprar o Tenable Nessus Expert

Desenvolvido para a superfície de ataque moderna, o Nessus Expert permite ver mais e proteger sua organização de vulnerabilidades, da TI à nuvem.

Selecione sua licença

Compre uma licença para vários anos e economize mais.

Adicionar suporte e treinamento