When one thinks about an Instagram account being taken over by a malicious actor, one usually imagines some kind of hack or social engineering resulting in the theft of an account password. The refrain “It wasn’t me, I was hacked!” that you hear from some whose social media profiles are the subject of social scrutiny relies on this impression.
But there are many different ways to hack a cat. The latest in Instagram account takeovers appears to be done through the avenue of trademark law, interestingly enough. Motherboard has a fascinating write-up detailing an entire ecosystem of malicious actors who are abusing trademarks to convince Instagram to hand over access to accounts.
Scammers do this by creating fake companies and trademarks to convince Instagram they should be the legitimate owner of a username in question, with fraudsters using “trademarking,” as the technique is known, to get ahold of sought-after, valuable handles, according to posts and evidence of the process in action obtained by Motherboard. The scammers can then keep these handles as digital mementos, brag about their acquisition, or resell them at a profit in a thriving underground community.
Instagram allows users to report handles that a person or company believes infringes on their trademark. For example (this is a hypothetical), if the creator of the @disney handle on Instagram was not actually associated with Disney, the company may want to appeal to obtain ownership of the username. If Instagram agrees, it may then hand over control of the account to the original trademark holder. Instagram told Motherboard it has a team that works on trademark and intellectual property issues, and as part of that process, the team reviews whether a complaint may be fraudulent.
Judging by the sheer volume of bad actors that are “trademarking” in order to fool Instagram, it seems the company’s team is at best not fully up to the task of weeding out the fraudsters. And, to be clear, this isn’t so much a problem with trademark law as it is a problem with Instagram putting so much weight on supposed trademark ownership that it acts as the linchpin for account takeovers. That said, while time consuming, the ease with which bad actors can spin up trademarks makes this problem more wide-spread.
Several users on the underground forum OGUsers, which focuses on the theft and sale of high value Instagram accounts, appear to engage in the practice.
“I’m looking to get a trademark or fake trademark that will make it look like I own a word so I can get an insta username,” one user posted on the forum last year.
“Need someone from the uk to file a trademark from me,” another OGUsers member wrote last year. “Willing to pay fees + 20% in bitcoin.”
A previous Motherboard investigation found members of OGUsers often sell handles for thousands or sometimes tens of thousands of dollars worth of cryptocurrency, although most of those account hijackings likely rely on SIM-jacking, where a hacker takes control of a victim’s phone number.
Again, the ultimate culprit here is Instagram using a trademark, or supposed trademark, as the chief justification for handing over an Instagram account. There obviously needs to be more of a check in place to ensure that this exact tactic is not allowed to be abused. It’s also something of a symptom of ownership culture that an individual is allowed to point to a trademark, then to an Instagram account, and claim ownership.
It seems the only barrier to abusing trademark law for malicious actions is one of creativity.