The streak of hacked celebrity Instagram accounts continues as a group of cybercriminals targets them to promote scam sites to their huge followership.

Victims of the group count actor Robert Downey Jr. (43.3m followers) - hacked last week, singer-songwriter Nicole Scherzinger (3.9m followers), and TV personality Yanet García (11.5m followers).

Same pattern

Each of the Instagram accounts were hijacked over the past couple of weeks and the attackers were in control enough to rotate multiple shortened links leading to webpages with surveys that collect personal information; this is sold for marketing purposes, typically of a darker shade.

Furthermore, for each survey completed, the attackers earn a "commission" for generating the lead.

The group follows the same pattern: after hijacking an account they change the bio to announce a fake giveaway for iPhone XS devices; BleepingComputer has found that it is the same message in all three cases.

The giveaway is for 2,000 phones and visitors are instructed to go to the Story page to find more offers.

The hackers use multiple services for shortening the links with Bit.ly and TinyURL among them. For the time they control the celebrity accounts, it appears that they publish multiple links in the bio section.

However, from what we could verify, they all lead to pages on the same domain - dudemobile[.]net - that offer surveys and app downloads. The screenshots below are the redirects from links posted on the hacked Instagram accounts of all three celebrities.

Users all over the world landing on these pages will see these pages translated to their language.

In the case of Nicole Scherzinger and Yanet García, the hackers created a more effective lure. They changed the bio section to announce that the celebrity would be releasing a sex tape if visitors downloaded an app available at a provided link.

In an image featuring a fake nude of the American singer, the attackers explained that when the app download counter hit 5,000, the video would be released.

A similar deal was available for the followers of the Mexican celebrity, but the counter for releasing the alleged footage was much higher, 30,000 downloads.

Visitors of her profile were also lured with a fake nude image, as García that the pic was from a modeling photo shoot and had been altered to depict her naked.

García on September 16 took it to Twitter to ask Instagram to reinstate her control over the profile. The tweet has since been deleted, but her message shared an image published by the hackers and asked for help.

HELP ME!!!! @instagram PLEASE!

My account has been hacked !!!! pic.twitter.com/qJLGWixi5b

— Yanet García (@IamYanetGarcia) September 16, 2019

Deep fake software

It is unclear what the hackers used to alter the pics of both Scherzinger and García, but deep fake programs could be the answer. They are easy to come by and subscriptions typically start from around $50.

One individual involved in the development and marketing of one such app told BleepingComputer that their app works only for female models, but a feature update might add support for males, too.

The software is powered by an algorithm that relies on GPU and CPU power to strip clothing off and create a naked version of the female. It works best with high-resolution bikini pictures, which are easy to find for celebrity women.

Despite being subscription-based, we were told that the authors released the program for "educational or demonstrative purposes only" and that they are not liable for damages resulting from using content produced by their app.

This software is powered by an algorithm that strips clothing off a woman's image and adds realistic-looking breasts and intimate parts.

Deep fake technology has generated a lot of controversies. The DeepNude project, which was the first to gain huge popularity, had a short life and shut down after it started to be misused.

Keep your account secure

The infosec community has been beating the drum for a long time about what you can do to secure your online accounts, and it starts with a strong, unique password that is is as long as the service supports.

Tools like password managers can help generate the right string, allowing you to include special characters, numbers, as well as upper and lower case letters. They also allow you to use these complex password without the need to remember them.

On top of this, many services today offer two-factor authentication (2FA), a feature that can keep your account locked even if hackers manage to steal your credentials. This works by asking you to authenticate by typing in a temporary code, typically delivered to a device you posses via a text message or generated by a mobile app.

This way, an attacker cannot log in using just the account credentials, they should also have access to your device, which makes their job a lot harder.