Pop star Britney Spears' Instagram account was used by Russian hackers as a secret bulletin board to place coded messages that were part of a malware scheme, a security company reported.
Slovakian antivirus company ESET said in a blog post that it had found encoded messages in the comments section of Spears' account that, when scanned by a malware-infected computer, would give directions on where to send stolen information.
One innocuous comment posted in February looked like a yet another semi-incomprehensible fan posting: “#2hot make loved to her, uupss HHot #X”
However, to those knowing what to look for, it could be translated into a website address that allowed malware to communicate with the computers controlling it. The purpose of the subterfuge was to ensure there was no easily followed trail between the hackers' computers and the computers their malware had infiltrated.
Spears would have had no knowledge that some of the comments posted in her official Instagram account were in fact coded messages between hacked computers, ESET senior malware researcher Jean-Ian Boutin said.
There was also no danger to anyone reading or following the account, Boutin said, and no possibility that their devices could have been contaminated or infected by viewing or clicking on it.
“There is no active or clickable content in this case, no harm can be done to the account’s followers,” said Boutin.
Spears' publicist did not immediately respond to a request for comment.
The message is akin to a spy leaving a window shade up or down to communicate with the agent's handlers. In that pre-digital scenario, the spy would simply walk down the street and glance up to the window to know whether he or she should go to a pre-arranged drop site to find a message left there.
In this case, the ESET researchers were tracking a gang of Russian-speaking hackers dubbed Turla.
Turla historically has targeted diplomatic, government, and defense entities across Europe, Central Asia, the Middle East, and the United States, said Cristiana Brafman Kittner, a senior analyst with computer security company FireEye.
Malicious software of the type used by the group infects computer networks and then waits for instructions on where to send the information it’s found.
In this instance, the attackers added comments to Spears’ Instagram account to hide an encoded URL that led to their servers and was meant to only be read by their malware.
Hiding these kinds of messages in plain sight isn’t common, though it does happen from time to time, said Boutin. An ESET team found a hacking program in 2014 that hid encoded addresses in Twitter accounts but they haven’t seen it used in Instagram accounts prior to this, he said.
The ploy shows just how sophisticated and innovative attackers are as they work to avoid detection, said Ronnie Tokazowski, a senior malware analyst for security firm Flashpoint.
Elizabeth Weise: Phone/Signal: (415) 452-8741. Email: eweise@usatoday.com. Twitter: @eweise.