Russian hackers are hiding malicious code in plain sight — on Britney Spears' Instagram


Oops, Russians did it again.

Turla, a notorious Russian-speaking hacking collective, hid the URL of its control server in comments on Britney Spears' Instagram, as detailed in a new report from antivirus providers on WeLiveSecurity.

"It's akin to storing or hiding instructions in plain sight," Whitney Merrill, infosec attorney and technologist, said in an email. "It reminds me of spy movies where the spy is supposed to look for particular words or phrases in a publicly published newspaper to receive a message and know how to act."

You can read about the hackers' full process here. A brief explanation: The JavaScript backdoor — actually a Firefox extension — scanned and hashed all of the comments on Britney's Instagram post until it detected one with a certain value, which then fetched the domain of the control server that moves stolen information to and from compromised computers.

In this case, the value was 183. The comment was "#2hot make loved to her, uupss #Hot #X." The photo:

"We are aware of this activity and have taken action against the responsible accounts," an Instagram spokesperson said in an email to Mic.

This method isn't exactly concealing malware, but rather obfuscating the URL that ultimately communicates with the infected internet-connected devices. Merrill noted that it's a slick way to hide the instructions from static analysis — a type of debugging program that examines code without actually executing it.

"This particular use of Britney's Instagram account is clever," Merrill said. "I haven't seen it before. But I wouldn't be surprised if other pieces of malware are using a similar tactic."

Can't we just... leave Britney alone?

June 7, 2017, 1:10 p.m.: This story has been updated.