Scammers steal social media videos to wring hearts and wallets

“I’m walking!” squealed the adorable, 4-year-old Mighty Miss Maya, born premature and later diagnosed with spastic diplegia cerebral palsy, when she took her first independent steps.

“Ka-CHING!!!!” enthused one or more Instagram swindlers, who promptly swiped Maya’s photo and videos to plaster onto fake fundraising accounts.

Earlier this month, Maya’s family, the Tisdales, posted onto her Facebook page the news about the imposter accounts, along with a screen capture of one of them that had been written in Russian and featured Maya’s stolen images:

It was brought to our attention a few weeks ago that someone has been stealing Maya’s pictures and videos from our account. They have set up an account and have been using Maya’s pictures and videos to try to get donations. Obviously we are very angry and we are working to have this account shut down ASAP. We are also working on having these individuals charged with fraud for collecting money under false pretenses (a lawyer friend has reached out to us and they are working on this end of things).

Maya’s mother, Ann Tisdale, said that her family has been hacked and harassed on Instagram after a video of Maya went viral last month.

The Tisdales said that Instagram was initially unresponsive, even after they filed the appropriate take-down forms and after followers had also reported the account. After the Tisdales asked followers to comment on the post and to tag @instagram, or perhaps after they contacted the media, Instagram finally took down the account… which, unfortunately but predictably, precipitated a game of whack-a-mole as the scammer(s) put up new fake accounts as fast as Instagram took them down.

It went beyond mere imposter accounts when one fraudster tried to extort the family, Ann Tisdale told ABC News.

A scammer sent a direct message on Instagram to extort the Tisdales, saying that they’d keep posting fake accounts to “spite you” unless the family paid $30,000.

From ABC News’s translation of the message:

You cannot delete my account. I will and will create it again. Spite you until you stop putting us into the story. Or give 30 thousand and I will no longer create your page

Instagram said in a statement to the TV station that it’s shut down a number of accounts and blocked the users behind them from opening new ones.

How do you stop imposters when you’re a public cause?

In spite of Instagram’s actions, the fraudsters are putting up new fake accounts as fast as they’re taken down. That, unfortunately, is the price you pay when you have an account that’s open to the public instead of being private.

The Tisdales have openly shared Maya’s journey on Instagram, where her page has over 35,000 followers, and on Facebook, where her “cause” page has 19,000 likes. Since the girl was born – four months early, at 26 weeks, weighing only 1 pound, 10 ounces, and so tiny that her family put her father’s wedding ring around her wrist to wear as a bracelet – her story has inspired others, who’ve in turn lent emotional support to the family.

According to the family’s website, Maya’s specific type of cerebral palsy caused “the muscles in her hips, legs and feet to be tight or spastic” and left her “unable to stand on her own for more than a few seconds, or walk without the use of walker.” She received surgery and regularly goes to physical therapy to get stronger.

Why should the family have to give up on the mutual support they’re getting from social media? Why should an Instagram crook – one who’s profiteering off them, harassing them and extorting them – get to chase them offline?

They shouldn’t. And they won’t.

On 12 January, the family posted a defiant message to Instagram, saying that they weren’t going anywhere, in spite of Instagram’s dragging its feet to respond to their takedown messages. The family thanked followers for reporting the fraud:

When these scammers saw YOUR force they changed their user name. 😂 They thought they could hide their criminal behavior behind a new user name @pomzsh_angeline23 but it took less than 6 hours for our followers to catch this and report it to us. #teammaya #bettertogether. Thank you for showing us that our Mighty Girls story really means something to you. ❤️.

They also called out for the type of support you need if you don’t have the luxury of keeping your account private: a swarm of followers who continue to keep report these fake accounts:

We ask that you help us by remaining vigilant in reporting these scammers. If you see they have changed their name please report to us. We know they will keep changing their name until they get tired of running or our legal team catches up with them. #icantwaituntilthishappens #dontmesswiththismomma👩🏼‍💻. We will continue to post their scam accounts to our feed like we did yesterday and ask that you blast @instagram and @facebook until they do the right thing and shut these accounts down. Thanks again for your love and support. You all are awesome. 👏

Imposters, fraudsters and hijackers…

Besides being preyed on by imposters, Instagram accounts themselves can be whisked right out from under you. In October, we saw a rash of attacks in which hackers demanded ransoms from high-profile Instagram users whose accounts they’d hijacked.

That wasn’t the first time. Back in 2017, Selena Gomez’s account was ripped off and used to post nude photos of her ex, Justin Bieber. Instagram subsequently warned that its API had sprung a leak, exposing high-profile Instagram users’ email addresses and phone numbers.

Six million Instagram accounts lost personal information from that bug, and then somebody went and created a database out of it: it included all the Instagram accounts with over a million followers, and it charged $10 per search.

Between bugs like that, phishing attacks and SIM swapping attacks – when attackers socially engineer cellular carrier employees to switch a cellphone’s number to a new SIM and thereby skewer the protection of multi-factor authentication (MFA) – it’s important to buckle up your Instagram account, even if you’re not an Instagram celebrity.

Last year, Instagram announced an improvement on its SMS-based 2FA (two-factor authentication) with enhanced security with support for mobile app-based authentication.

Here’s how to set up your Instagram account to use a third-party authenticator app:

  • Go to your profile.
  • Tap the Menu icon.
  • Select Settings.
  • Choose Two-Factor Authentication.
  • Select Authentication App.
  • If you’ve already installed an authentication app, Instagram will automatically find it and send it a login code. In that case…
  • Go to the app, retrieve the code, and enter it on Instagram. That will automatically turn on 2FA.
  • If you haven’t already installed an authentication app, Instagram will shuffle you on over to Apple’s App Store or Google Play to download the app of your choosing (Sophos has you covered here: consider downloading Sophos Authenticator which is also included in our free Sophos Mobile Security for Android and iOS). Once you’ve installed your chosen authenticator, return to Instagram to continue setting up 2FA.