Research uncovers secret scheme that takes over your connected devices & uses them to make fake fan accounts.


How do you feel when you find out someone has throngs of fake followers on their social media account?



___Eager to buy your own stash of faux fans

Your feelings may take a new turn when you find out this—researchers have discovered an underground operation that takes over your connected devices and turns you into a phony follower without your knowledge.

You could be hosting one of the thousands of false accounts bought by attention-hungry people and businesses looking to pump up their online fame.

Cyber swindlers harnessed an army of smart devices—like home routers—called a botnet to pull this off. The biggest surprise for researchers?

“How the botnet developed a clever scheme to make money without attracting the attention of law enforcement,” said GoSecure cybersecurity researcher Masarah Paquet-Clouston told Archer News.



A social media account with an unusual pattern of only 34 tweets, but more than 10,000 followers.


How they did it

The tricksters want to overcome a big obstacle—social media platforms like Instagram keep watch for sham accounts and may delete them. 

So the scheme operators need thousands of different IP addresses—like yours—to make it look like the accounts are from different people.

They use a program to guess the password on your connected item—easy to do if you didn’t change the password when you got the device—then infect it with a special malware, researchers said in their report.

That malware makes your device part of the botnet, and soon it will host a new, bogus account that could follow, like and even comment for people paying for fake fame.

“Large social media players, law enforcement, and hosting providers should collaborate in order to shut these operations down,” said Olivier Bilodeau, cybersecurity research lead at GoSecure, who worked on the project along with Paquet-Clouston, Thomas DuPuy of ESET and David Décary-Hétu of the University of Montreal.



An Instagram account with only 37 posts, but more than 80,000 followers.


How they found it

Researchers set up decoys—devices set up to look like your home router—then monitored them for nine months, the report said.

The botnet, dubbed Linux/Moose, took them over, giving investigators a peek into how it does its deeds.

The botnet operators will start by creating an account—usually on Instagram—through your IP address, researchers said. 

The mock account will feature a picture of an animal, plant, landscape or building as its avatar, and a string of random letters and numbers as its name. It will have no posts, and no followers of their own.



Schemers took over home routers to create fake Instagram accounts, according to researchers. Photo credit: / CC0


Trying to look human

The hoaxers will run the account automatically through your home device, according to the report.

They will try to make their automated system look human by checking the fake account feed and inbox and browsing Instagram for a while.

Then, their system will like and/or follow the person who paid them—knowingly or not—to steal some of your cyber space for social media fraud. 

“The botnet provides a service mostly to individuals or businesses looking to increase their public profile and present themselves as famous and well-known when, in reality, they might not be,” the researchers wrote in their report. “The market demand for this fraud is shaped by people’s greed for fame, from which large-scale botnets profit.”



An Instagram account with only 17 posts, but more than 68,000 followers. The account offers to sell followers to Instagram users.


Who’s buying?

The buyers of these fake fans are often little-known performers trying to make it big, clothing shops looking for an instant following, hairdressers who want “buzz,” or people who simply want more attention for their selfies and lifestyle pics, according to the report.

The botnet customers include car shops, makeup companies, actors, tattoo artists, businessmen, bloggers, interior designers and more, researchers found.

The popularity-seekers can find hundreds of companies offering pre-paid likes and followers on the Internet. The companies often try to justify their product by normalizing the crime.

“We are not just here to make money. We are also here to help you achieve your goals and make your dreams come true,” says a site that promises legions of digital disciples.

Another site claims the number of likes on your account is crucial.

“Believe it or not, but this number represents the quality of your image,” it says. “Your pictures are great, but in such a big social network as Instagram, your viewers will most likely skip your content without even properly looking at it if you don’t have the likes to back it up.”



A price list for purchasing followers on one of the many sites offering fans & likes for a fee.


Gone in a flash

But if you pay the money, you could end up with more disappointment than followers.

Instagram knocked down more than 70% of the fake followers in this botnet, the report said, as scheme operators spent a lot of time making new accounts, but not maintaining the ones they already have.

“We also demonstrated that the ‘followers’ don’t last, which means that the service or product is not even worth the money,” Bilodeau told Archer News.

“Not stable”

The report did not say which insta-follower companies online use the Linux/Moose botnet. However, customers of many companies report problems with fading fans.

“After a few weeks the followers begin to disappear,” a customer wrote about one company online.

“Lost 5000 plus followers!! Not stable at all,” said another.

“I got the followers they promised, but after about a week and a half they all disappeared,” a customer noted in disgust.

The company in question claims in its FAQ’s that it will replace those followers immediately.

But unhappy reviewers said that did not happen.

“Absolute waste of time and money,” a customer concluded.



One site selling followers shows ‘before’ & ‘after’ images of accounts it claims to have supported with followers or likes. 


Few answers 

Contact the companies yourself, and you may not get many answers.

One company claims it no longer answers phone calls “due to extremely high volume.”

Another said it doesn’t use hacking to add thousands of new fans to your account.

“These are our real looking profiles that are managed by us,” the company said. “Our profiles are from worldwide. Some of them may are real profiles and others high quality profiles.”

Another company that received many complaints online says it’s no longer in that kind of business—but offers a special discount for any of its customers who want to sign up with its “long-term partner” with a different name.



One company offering followers for sale says it has stopped accepting phone calls.


Checking for fakes

Researchers found telltale signs of people using this botnet. They often have large numbers of followers, but few likes or comments. One customer showed 855,000 followers, but only 106 posts.

Fake followers on someone’s account does not automatically mean that person paid for them, however. Some fake accounts will follow and post messages for other reasons, including political influence.

There may be no easy way to find out if one of them is using your connected device as a tool to fool the masses.

“The lack of antivirus and security software available for these devices allows the botnet to spread and it is therefore very difficult to detect in the wild,” researchers wrote.



An Instagram account advertising a way to get as many as 10,000 followers a day. The account has only four posts, but more than 11,000 followers.


Making money off of you

The average cost for 1000 fake followers is about $16, according to researchers.

If a botnet operator has taken over devices around the world, he or she could make hundreds of thousands of dollars.

“With a large botnet and all follows monetized, the operators of Linux/Moose are sitting on a gold mine,” the report said.

Your takeaway

You may not care if these cyber schemers illegally use your router to trick people on Instagram. 

But the operation does allow crooks to hone their fraud skills, seeking out new ways to abuse your connected things for crime.

Botnets have already found ways to use your connected devices like cameras and digital video recorders to shut down your access to some of the big sites on the Internet, like Twitter, PayPal and Amazon.

Researchers hope their report will make a difference.

“Public awareness is good because people might think twice before giving their money to schemes like these,” said Bilodeau.



A post from an Instagram account claiming to provide real human followers.


Fake influence

Some people and companies use likes and followers as an assessment for hiring, or for signing up as a customer. 

And some companies pay Instagram or Twitter users to spread a message, based on the amount of people the companies think they will reach. For example, a fashion and lifestyle blogger can earn more than $5,000 for an Instagram post, Mashable reported.

People may need to change their view of social media stats—and change their security habits at home.

“First, they need to be careful when assessing online popularity, as buying social media fraud seems to be a thriving practice,” said Paquet-Clouston.



Instagram asks users not to collect fakes followers & likes in its Community Guidelines.


Save yourself

“Second, changing default/weak credentials on IoT devices—such as routers, IP cameras, etc.—can prevent the malware from infecting new devices,” she added.

So far, law enforcement has not shown interest in taking down the scheme, according to Bilodeau.

“With research like this, we now have a serious reference to point people to when we say this is an important problem that should be addressed,” he said.