DEV Community

Cover image for Osintgram: The untold side of Instagram
Sriram M
Sriram M

Posted on

Osintgram: The untold side of Instagram

DISCLAIMER: This is not a “How to hack someone on Instagram Tutorial”. But rather an awareness post on how people get scammed on the internet and how to protect yourself from getting hacked.
Firstly, I would like to make something clear. If you intend to hack someone you’ve come to the wrong place. It is absolutely contemptible if you want to hack someone without their consent and with the tools available, it is highly unlikely that you get away with it! I believe in the principles of transparency of data. The information that I post here are publicly available and anyone can access it. And unfortunately getting hold of this and making it work is easier than you think. And I strongly believe that people should be aware of such scams. Having said all that hope is not lost, there are straight-up measures to make sure you are safe from getting hacked.

If you are not into the technical details but just want to learn how to protect yourself from the attack go to the end of the post.
The Script goes as follows:

1.OSINTGRAM

osintgram

Well to start things off, what is OSINT?
OSINT, otherwise Open Source Intelligence is a multi-methods methodology for collecting, analyzing and making decisions about data accessible in publicly available sources to be used in an intelligence context. In simpler words, these are publically available information that can be used for data analysis, data collection etc.
Osintgram is essentially a computer program that uses the Instagram API to gather information. On paper, there is nothing illegal about it, and it’s beautifully written code ( credits to the developers ). The more I think about it there are so many practical applications!
Datalux/Osintgram
Osintgram is an OSINT tool on Instagram to collect, analyze, and run reconnaissance. Disclaimer: The contributors do not…
github.com

The account is a dummy account created for educational purposes
Apart from flaunting the rather “typical hacker screen” terminal window, the developers have written code simple yet efficient code in your favourite language, C++( Just kidding it’s written in python XD ). But having gone through the code I must say it is just simple Instagram API calls. With which you can gather the following information:

  1. All registered addressed by target photos
  2. Target’s photos captions
  3. A list of all the comments on the target’s posts
  4. Total comments of target’s posts
  5. Target followers
  6. Users followed by target
  7. Email of target followers
  8. Email of users followed by target
  9. Phone number of target followers
  10. Phone number of users followed by target
  11. Hashtags used by the target
  12. Total likes of target’s posts
  13. Target’s posts type (photo or video)
  14. Description of target’s photos
  15. Download target’s photos in the output folder
  16. Download target’s profile picture
  17. Download target’s stories
  18. List of users tagged by target
  19. A list of user who commented target’s photos
  20. A list of user who tagged target

But the only hope is that all this information is accessible if the account is public or the account of the victim is followed by the perpetrator. So as a general rule of thumb do not follow some account you have no clue about. And as far as public accounts are concerned, this is process is rather computationally intensive and impossible to retrieve information ( at least for your everyday hacker who googled “how to hack someone on Instagram” ). And the information about the account of the hacker will be gathered at Instagram’s end.
The main scope of this article is complete but for the sake of demonstration on how a typical script will be written. I’ll be continuing with some more steps.

2.Blackeye

Blackeye is yet another Social Engineering tool that is available publicly on the internet. This allows anyone to host a dummy version of a well-known website to get information like the username and password. This is a far more powerful tool, at the same time, it can be easily detected. The website will have to be hosted ( mostly on temporary platforms like ngrok, serveo etc. )
So as a general rule of thumb, never open rather anonymous links especially ones ending with .ngrok.
But the original authors of the script have taken it down. Having said that there are many modified versions of the OG Blackeye is pretty easily accessible.

3.SET

SET ( Social Engineering Toolkit ) This is a popular tool usually packed with the default installation of Kali Linux(or any pen-testing distro for that matter). This is a swiss-army knife for social engineering, essentially gives you a list of tools for basic social engineering. The tool was intended to simulate an actual phishing mail for typical red-hat hackers (ethical).
So typically the perpetrator would create a dummy account and follow your Instagram account. Then would extract the information from your account using OSINTgram and gather information like ( say the email ids of your followers ). He would then send a string of spam emails to all your followers and would provide the link to a dummy website hosted using blackeye and people who ignorantly and log in with this link would compromise their credentials :(

Is all hope lost?

NO! this “scam” or most of the prevailing scams requires a lot of luck and a continuous series of careless moves by the victim. And many of these could be avoided with simple steps.

  1. Use a spam filter! All email services have spam filters, here is a link to a step-by-step guide to adding spam filters: spam filter
  2. Do not click on unknown or suspicious links. Most of the popular organisations host their links from their own server and it is highly likely that the domain name contains the name of the organisation and the website in it clearly. If the URL doesn't explicitly give that out avoid clicking on that link. And to double ensure I recommend using Virus Total and check if the website is safe to be visited.
  3. Avoid accepting follow requests from suspicious / rather unknown accounts. I must say it is quite difficult to make an anonymous account these days that don't get flagged almost instantly. And it is unlikely that the hacker would get away with it. But nevertheless, it always better to not get hacked and go through the whole process.
  4. Get yourself educated! Do not be technology ignorant! Do follow cybersecurity updates the latest trends at least the most popular ones.

Discussion (2)

Collapse
kirzin profile image
0xKirz

nice article