This article is more than 3 years old

Attackers have set up a dark web domain for their “Doxagram” site that offers for sale the email addresses and phone numbers of high-profile Instagram users.

On 5 September, The Daily Beast reporter Joseph Cox tweeted out more than two dozen domains recently purchased by Facebook in an effort to protect Instagram users’ accounts against unauthorized access.

https://twitter.com/josephfcox/status/905000462000295936

As of this writing, Instagram and Facebook together have registered at least 280 domains for “Doxagram,” a service which hackers are using to spread the email addresses and phone numbers of potentially millions of Instagram users.

On the one hand, Doxagram appears to be linked to a incident where hackers exploited a glitch in Instagram’s API to expose the email addresses and phone numbers of only high-profile members like Selena Gomez.

On the other hand, Doxagram also contains regular users’ account data, with the hackers saying they have information pertaining to more than 6 million members, reports The Daily Beast.

Doxagram, which allows anyone to harvest account information for just US $10 a record, originally appeared as a .com domain before getting the boot from its web-hosting company. The service then appeared as a .ws domain before once again going offline. Those responsible for Doxagram suspect Facebook was responsible for these takedowns.

But they’re not worried about Instagram’s efforts. In fact, they think they’re “odd.”

Cox might know whey they feel this way:

“Despite Instagram’s apparent efforts, grabbing as many related domains as possible may do little to stop the flow of this data. Not only do over 1,500 different types of domains exist, the people behind Doxagram have also launched a dark web version of their website.”

A clever move on their part. A dark web site allows the hackers to reach an audience who would truly be interested in purchasing and monetizing users’ stolen Instagram credentials. Also, the hackers don’t need a company like GoDaddy to manage a dark web location; they can do it themselves. This makes it extremely difficult to take down a dark web site unless you have the involvement of federal law enforcement.

Those responsible for Doxagram said their service has made US $4,100 across its public and dark web versions so far.

Given this active “business,” it’s important that Instagram users watch out for phishing emails, calls, or texts that attempt to steal their account credentials. They would also be wise to set up a PIN with their mobile carrier lest someone attempt to steal their phone number and port it to a device under their control.

To learn more about this story, listen to this episode of the “Smashing Security” podcast:

Your browser does not support this audio element.https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/3e3a5aff-c463-4145-ba2b-ea8e33ab4194.mp3 Your browser does not support this audio element.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.