Crooks have put together a smut-themed scam campaign targeting Instagram users.

Affected users’ profiles have been altered with sexually suggestive imagery to lure their followers to adult dating sites, Symantec warns.

Attackers changed the Instagram account pictures and biographies to material plugging x-rated sites, earning affiliate fees in the process.

Hacked Instagram accounts share common traits: modified user name, different profile image (always a woman even if the hacked account originally belonged to a man), different profile full name, different profile bio, profile link changed/added and new photos uploaded. In some cases the hacked accounts have been compromised for months and have effectively been abandoned by their original owners.

Example of hacked Instagram accounts [Source: Symantec]

In addition to modifying the profile information, attackers upload photographs, which are often sexually suggestive. However, they do not delete any images uploaded by the account owner. The profile instructs the user to visit the profile link, which is either a shortened URL or a direct link to the destination site.

“While we do not know how these accounts were compromised, we suspect that weak passwords and password reuse are the cause,” Symantec speculated.

The security firm previously reported that Twitter accounts were being hacked to post links to adult dating and sex personals, similar to the new campaign against Instagram users. Despite similarities in tactics, its researchers have yet to establish a direct link between the two social media operations.

Earlier this year, Instagram began rolling out two-factor authentication to its users. Victims of account take-over should report incidents to social media firms, Symantec further advises.

The UK is the second most targeted country globally when it comes to social media scams, according to a recent study. ®