Instagram scam tricks 100,000 users

Insert your username and password, get free followers and likes. This is what tens of thousands of Instagram users thought was happening.

More than 100,000 Instagram users fell for a bold, effective scam called InstLike, an app that promised free likes and followers on the photo sharing platform. The app asked users to share their usernames and passwords after downloading, turning them into willing participants of a giant social botnet.

After users signed up for the free app, InstLike would begin liking random photos and following random

users. It also asked users to buy virtual coins to accrue more likes and followers, according to a new research by security firm Symantec, shared exclusively with Mashable.

“We don’t steal your account,” the app developers promised in the login screen. But InstLike did just that. Symantec estimates that at least 100,000 users fell for the scam. The app was able to add Likes and followers using those real accounts to feed the scam ecosystem. The more people took the bait, the more followers and Likes it delivered.

In the Google Play store, InstLike had between 100,000 and 500,000 downloads before it was pulled, with more than 100,000 ratings across app stores, per Symantec. These numbers led the firm to estimate that at least 100,000 users gave their passwords to InstLike, a figure Symantec considers “conservative.”

“People didn’t realize that they were being duped into giving their login credentials to this app,” Satnam Narang, the security researcher at Symantec who found out about InstLike, said in an interview with Mashable.

Instagram sent Mashable the following statement: “Posting automated content to Instagram clearly violates our Terms of Use. We have a team dedicated to stopping abuse on the service and enforcing our policies, including removing content that violates our terms.”

Although the apps have since been removed from Google Play and the App Store, the app’s site,InstLike.com, is still operational. If you downloaded the app and gave out your credentials, Symantec suggests changing your password immediately, then deleting the app from your phone. Otherwise, InstLike will continue to post from your account.