Spam operators using bots to promote adult-themed services change their tactics to avoid Instagram's detection mechanism. Redirects remain the main stratagem but they come with other tricks meant to push the user towards a particular website.

Bots surviving on the social networking platform follow users and wait for them to visit the profile and initiate a private conversation. These accounts give little to Instagram's protection mechanism to pick on.

There are no pics or any other details except for the profile name and a short bio stating that there are nude pics available, thus revealing the true purpose of the account.

The bio is spaced out with periods between each letter, specifically to remain undetected by Instagram's automated measures for spotting the activity.

Satnam Narang of cybersecurity company Tenable says that this type of accounts are intermediary, in that they do not provide visitors a link to the source of the adult content.

Instead, they provide a link to another Instagram account with a non-obfuscated bio and a Bitly-shortened URL. Should this account fall, another will probably take its place.

The lack of activity on this account - which follows a specific name pattern, makes it safe from being detected through automated means. Narang found that the operator behind this campaign has been active since at least the middle of 2016 and created almost 1,500 accounts since then.

The naming convention may be a method to keep track of the campaigns or they may indicate multiple actors playing the same game.

Not all bot accounts used for adult-themed spam follow a pattern for coming up with a name. Some of them use a woman's name and also contain a few regular pictures, not suggesting adult content. This is another tactic to thwart detection mechanisms.

Another thing they have in common is that the photos come with truncated quotes from well-known novels. Narang found quotes from Alexandre Dumas' 'Count of Monte Cristo' and George R.R. Martin's 'Game of Thrones.'

The researcher calls these "Novel Accounts" both because of the quotes and because they use a new approach.

There are no links available in the profile info, but engaging in a conversation with them shows automated responses that direct the user to a website that typically has adult content or services.

"What is interesting about these “conversations” is the delay between responses," Narang notes, adding that some replies came even after 22 hours.

In some cases, the bots contact the targets through direct messages aimed at Instagram groups. Spammers create a direct message chat with as many users as possible (up to 32) and send text designed to elicit a reaction.

Some of the websites promoted this way lead to surveys about sexual preferences and then redirect to an adult dating or webcam page.

To keep users' suspicions at bay, some operators set up a fake Instagram page claiming that the landing location has been verified and found to be safe.

The reality is that the spammer hosts the "Leaving Instagram" page on a domain they control.

It appears that the actors behind these operations are targeting mobile users in particular, as the loading the promoted links from a desktop computer led to benign online locations. One redirect led to an old article from the Planetary Society when accessed from a computer and loaded to the spammer's intended website when a mobile device was used.

"While this might be viewed as an effort to thwart examination by a researcher on a computer, there are ways around it for research purposes. However the real intention behind the redirects is likely to ensure that the “lead” is coming from a mobile device and not a computer, to ensure compliance with the adult dating affiliate program guidelines." - Satnam Narang, Tenable

The effort to hide the true nature of such profiles is useless to the human eye. But even so, there are plenty of "customers" around. One of these shortened links registered a little over 1,000 clicks, almost all of them coming from Instagram users.

As for the location of these users, more than half are from the U.S., while other countries recorded below 50 users.

Social networking websites are the perfect ground for spammers and scammers as they have a large pool of targets. And with Instagram having over one billion users, there is little reason to believe that attempts at running such operations will stop anytime soon.

Despite efforts to automate detection and stop them at a large scale, some actors are likely to find a way to operation undetected; "the only thing constant is change, so we anticipate these tactics will deviate over time, as the cat-and-mouse game continues to be played," Narang says.

Related Articles:

IRS Warns Taxpayers of New Scam Campaign Distributing Malware

Instagram Phishing Emails Use Fake Login Warning Baits

New Trojan Records Your Screen When on Sex Related Sites

Sodinokibi Ransomware Spreads Wide via Hacked MSPs, Sites, and Spam

Phishing-as-a-Service Fuels Evasion Methods, Email Scam Growth