Scammers create Instagram click farm, leave their operation exposed online

Exclusive: Researchers find records used to fake Instagram engagement, exposed on the open internet.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

Instagram doesn't always reflect reality. Security researchers said Wednesday that they found records from an operation that used fake accounts to sell likes and followers to Instagram users.

Getty Images

Instagram is a playground of deception. Filters, lighting and clever angles can make the humdrum look amazing.  

On Wednesday, a pair of researchers said the deceit extended beyond artfully edited photos to inflated follower counts, which can make accounts appear to have more reach than they actually do. Behind the artificial numbers: a click farm operation that boosted performances by using tens of thousands of fake IG accounts. 

Ran Locar and Noam Rotem said the scammers appeared to be operating out of Central Asia and used proxy servers to disguise the location of the fake accounts. The researchers, based in Israel, found usernames and passwords of the fake accounts, as well as clues to how the operation worked, on an unsecured cloud database.

Some influencers use click farms in an effort to boost their popularity on social media, which might help them win sponsorship deals or other promotional opportunities. It's unclear how widespread the practice is, but cybersecurity firm Cheq said last year that advertisers wasted an estimated $1.3 billion on ads and sponsored posts that were displayed to bots and fake accounts. The bogus engagement brings a level of fakery to the world of influencers that's worth remembering the next time you scroll through the enviable lives of social media personalities.

Locar and Rotem published their report with vpnMentor, a website that reviews privacy software for consumers. The researchers reported the database to Instagram in September, and the information is no longer exposed. Additionally, the data didn't include any usernames or passwords for real Instagram accounts.

Rotem and Locar called the operation sophisticated, even though the scammers committed a basic security blunder by not setting a password on their cloud database. Aside from that misstep, the criminals covered their tracks to avoid Instagram noticing the accounts were coordinated, and added new accounts as Instagram found and deactivated previous fake accounts. Facebook, which owns Instagram, has automated systems to detect fake accounts on Instagram, and can identify and deactivate them within hours.

"There's a cat and mouse aspect to them," Locar said.

Locar and Rotem search for exposed databases through a web scanning project. Typically, they find cases in which companies have failed to secure account or customer information. For example, a document storage company exposed before-and-after pictures from plastic surgery clinics around the world and a recruiting website exposed the expected salaries of job seekers

Other times, however, the exposed data comes from an apparent criminal enterprise. The research duo recently found exposed Facebook and Spotify account data belonging to real users, which had been compiled by criminals for other forms of fraud.

In addition to misleading sponsors and advertisers, buying fake engagement violates Instagram's terms of service. In 2019, Facebook sued a company in New Zealand for fraud after it allegedly sold likes and followers.