Checking Britney's Instagram could let the hackers attack

Emma Woollacott
Britney Spears' Instagram page, with the hackers' comment.
Britney Spears' Instagram page, with the hackers' comment.

Russian government hackers have found an unusual way to infect computers and steal information: the comments section on Britney Spears' Instagram photos.

The Turla hacking group - believed to be an arm of the Russian intelligence services - has been leaving comments on Spears' Instagram posts that tell its malware how to connect to the group's servers.

The comment isn't particularly enlightening for the general reader: "#2hot make loved to her, uupss #Hot #X." But when the malware sees this comment and calculates its 'hash value', it converts it to a web link that leads to a Turla site.

Unsuspecting visitors to Spears's Instagram page will then download a Firefox extension that allows the hackers to take over their computer. The criminals can then monitor everything the user types - potentially including passwords and banking information.

It's what's known as a 'watering hole attack', trapping visitors in the same way as a predator will lie in wait for prey.

See also: Ellie Goulding named the internet's most dangerous celebrity

See also: The bizarre piece of ransomware that forces you to play a game

The clever thing about using the comments section is that it allows the hackers to change their instructions at will. All they have to do is erase the original comment and include another one with the same hash value.

"Attackers using social media to recover a [command and control] C&C address are making life harder for defenders," say researchers from security firm Eset, which uncovered the attack.

"Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it."

Luckily, most Britney fans should be safe: Eset believes that only a handful of people are likely to have been affected. The attackers appear simply to be testing their system, perhaps before using it to target embassies, as they're believed to have done before.

Meanwhile, Instagram says it's taken action against the dodgy accounts; and Firefox is now working on a new version of the browser which would make attacks of this kind impossible in future.