Weaponizing Instagram against the Iranian #MeToo movement


June 16, 2022

Starting in the middle of April 2022, several Instagram accounts sharing stories of sexual violence in Iran were targeted by armies of bots that flooded the accounts with bogus subscriptions. During the coming four weeks, around one million fake subscribers flooded 25 Instagram accounts connected to the Iranian #MeToo” community movement.

The Instagram accounts became unmanageable and the administrators were forced to change the profiles of the accounts to “private” to avoid more bots to join.

“These attacks have made us quite vulnerable. We have had to make our accounts private. While previously we would be supporting each other as a network of feminists on Instagram by sharing each others’ content and encouraging our followers to join in on conversations and debates on pages of other feminists it now feels like we are isolated and it feels like each of us is working alone.” – says a group of feminists that are administrating a number of the affected Instagram accounts.

The objective of this type of attack is still not clear, and we have not seen it documented before. The attacker likely has the intention to intimidate the account holders and let them know that they are being watched. A potential effect of the attacks could be account blocking, as accounts with large amounts of fake followers can be banned by Instagram.

The group of targeted feminists adds:

“It has affected our network and has damaged our sense of community. In an environment where we as feminists are attacked by various political and social groups, that sense of community was vital to us. Also, we do not know and understand what the consequences of such attacks might be for the future of our work and community, this alone is a cause of uncertainty, fear and anxiety among us.

The attack was clearly targeted – thousands of dollars were invested to instruct armies of bots to follow these accounts. One would expect that the fake bots would be random compromised or fake accounts from all over the world, or perhaps Iranian accounts to better melt in with valid followers. To our surprise, we identified a clear geographical location of the followers who led us right into the world of Social Media Marketing (SMM), where Followers, Likes, Views and Shares are sold to increase the popularity of social media accounts, including Instagram Facebook, YouTube and LinkedIn. The fact that SMM was used as a form of a digital attack to silence Iranian women movement, is most probably not known by the resellers of these dodgy services.


Analyzing the followers

A quick analysis of the Instagram account me_too_movement_iran revealed that 3,000 new followers had been added on a daily basis for several weeks. The steady number of new followers per day was the first indication that an automated service is being used to create the fake subscriptions.

The graph shows a steady (constant) increase of 3,000 followers per week.

Using the Python library instaloader (by Alexander Graf), Qurium wrote a script that slowly extracted the followers of one of the targeted accounts and collected basic information of each of them. We looked specifically into how many accounts each of the bots was following, their number of followers and number of posts published.

The average follower (that had joined since late April 2022) had just published 1-2 posts but followed around 2,000 accounts. The followers would typically have Indian or Pakistani names and there were a large amount of accounts with random names of undetermined origin, such as “hdhdh.sshshsh” or “ggggg”.

Obtaining a list of all fake followers and their data was not a simple task. Instagram (Meta) seems to do their best to block dumping the list of followers and their details, and making the process of blocking malicious followers difficult. After several attempts and several accounts blocked, we managed to obtain metadata from 45,000 bots. Based on this data, we could identify some interesting patterns:

  • Thousands of the bogus accounts could be clustered by their “Biography” metadata.
  • The attackers automated the creation of the Bio information of the accounts using famous quotes in English.
  • More than 95% of the accounts had little or no activity (three or less Posts).
  • Despite that the accounts use Indian/Pakistani names, their “Bios” were always quotes in English.
  • Many accounts contained only consonants and numbers.
A typical bot with Indian/Pakistani image, bio in English, few postings (1) and following many accounts.
Clustering “bots” based on their Bio metadata.

Social Media Marketing (SMM)

A social media marketing (SMM) panel is a platform (a website) used to trade “social media services” with suppliers and also the place where the final clients can obtain cheap followers, likes, views and shares. The panels list the services provided with corresponding prices and support a number of payment methods including crypto-currency. As in a peer to peer network, control panels of different resellers are interconnected and orders of services are forwarded between them until the order reaches the top level “provider”. In this way, SMM Resellers act as a proxy network of fraudulent services hiding the owners of the farms of fake accounts.

SMM Panels are run by resellers that obtain access to the services by connecting their panels to other upstream providers by means of application APIs. Once the reseller connects to an upstream provider, it applies a profit margin to the services it is brokering for.

Admin of a SMM Control Panel where profit margin is set

Reseller 1: Promoting Guru

After screening close to 50,000 accounts, it became clear that an Indian-Pakistani Instagram Follower Package was ordered to flood the Iranian #MeToo related accounts.

50K Bots extracted from one of the affected accounts

One of the SMM panels that caught our attention was “promotingguru“, a self-proclaimed “Guru Expert in Promotion Of your Instagram Profiles and posts“. The domain name promotingguru[.]com recently expired but the same actor is currently using the domain smmpakpromo[.]com to promote his business. The reason why Promoting Guru caught our attention, was that its Instagram was included in each batch of Instagram bots.

“Promoting Guru” runs the Social Media Marketing (SMM) panel “SMM Pak Promo”, a reseller control panel to sell different types of fraudulent subscriptions, followers, likes, etc. to social media platforms such as Instagram, TikTok, Facebook and others.

Archived version of promotingguru.com

We decided to look into this service that offered 10,000 followers for 50 USD or up to 1 million fake followers for 1,500 USD. SMM Pak Promo offers a dashboard to purchase all type of fake followers, product reviews, likes, etc. and payments are accepted via Paypal or cryptocurrency.

Categories of services offered via SMM Panels.
Example of “Order” of Instagram Followers via SMM Reseller Panel

Who runs “Promoting Guru”?

Social media suggests that “Promoting Guru” and his partners are based in Pakistan. Members of the group are based in the Multan area (Punjab) with references to Kot Addu and Sanawan.

Members of Promoting Guru include Muhammad Asif Shahzadan, Muhammad Abdullah and Muhammad Naeem.

One of the Facebook Pages of the “Promoting Guru” team

More details of their activities can be found in the following links:

Instagram
hxxps://www.instagram.com/profollowers_booster/
hxxps://www.instagram.com/asifshahzad26

Facebook
hxxps://www.facebook.com/Get-unlimited-page-likes-184499050325989/
hxxps://www.facebook.com/groups/485896345897021/user/100057513633057/\https:hxxps:
hxxps://www.facebook.com/Marketingexpert111/
hxxps://www.facebook.com/kathryn.copeland.33046
hxxps://www.facebook.com/profile.php?id=100076527811853
hxxps://www.facebook.com/profile.php?id=100057513633057
hxxps://www.facebook.com/insta.followers.account.seller/
hxxps://www.facebook.com/Promotinggurucom-234232475214747
hxxps://www.facebook.com/Asoo-cloth-makeup-112396064417003
hxxps://www.facebook.com/paidpromotionss (Likely partner)
hxxps://www.facebook.com/smmpak (Muhammad Naeem)
https://www.facebook.com/profile.php?id=100074496794307
hxxps://www.facebook.com/Follower-and-Like-seller-109198531512523/ (Muhammed Addullah)
hxxps://www.linkedin.com/in/mrkaptan/
hxxps://www.facebook.com/profile.php?id=100076709093740 (Kevin Naranjo)
hxxps://www.facebook.com/groups/1961131477380472/user/100080316791615/ (Isabella Salinas)
hxxps://www.facebook.com/groups/1002320113518563/user/100075436415370/
hxxps://www.facebook.com/pagelikesinstafollowers

Twitter
hxxps://twitter.com/AsooSelFollower
hxxps://twitter.com/sellfollower2 (December 2020)

YouTube
hxxps://www.youtube.com/watch?v=P1Wv4maCAZM
hxxps://www.youtube.com/channel/UCCIoTd5hms7Bvv7xui75KLQ

Contact Details of Promotion Guru


Muhammad Abdullah

  • Phone: +92 307 6895958, +92 344 7685703

Muhammad Asif Shahzadand

  • Phone: +92 346 6043195
  • Email: masif4772[@]gmail.com
  • Account: Promotion Guru

Muhammad Naeem

  • Phone: +92 345 7313005
  • Email: m.naeem3005@gmail.com, marketguru00786@gmail.com
  • Account: Skip Tracer

Name

  • Phone: +91 764 4881466
  • Email: rkmishr7[@]gmail.com
  • Website: rishavspeaks[.]xyz
  • Account: Paid Promotion

Reseller 2: Dua Communication

When looking into all the SMM Resellers connected to “smmpakpromo[.]com” and “smmdesigner.com” and the online code of several SMM panels, we discovered that “Dua Communication“, a company run by Ammar Syed, claimed to be the author of the SMM Panel.

Ammar Syed Hussein run Dua Communication since 2012 and recently combined his web design and hosting business with the provision of Social Media Services.

Ammar Syed Hussein

  • Mail: desichatters[@]gmail.com
  • Location: Dera Ghazi Khan (Punjab)
  • Phone: 03216782205
SMS Designer powered by “Dua Communication”

Conclusion

The analysis of the fake followers of two dozen accounts connected to the Iranian #MeToo movement revealed the involvement of pay-for-followers social media service. During this investigation Qurium identified a very active group of Social Media Marketing (SMM) resellers in Punjab (Pakistan) that operate dozens of websites that provide fake Instagram followers.

Two of these resellers, Promoting Guru and Dua Communications could be directly linked to the attack against the Iranian #MeToo movements. Both groups openly advertise their services inside Facebook.

On June 13, Qurium approached the members of Promoting Guru (smmpakpromo) and Dua Communication (smmdesigner/bestsmm[.]pk) asking about the undesired bots in the Iranian Instagram accounts and their connection to this “fake followers flood campaign”. At the time of writing, none of them has responded to our e-mails.

One might wonder why Pakistani Telegram bots were used to attack Iranian #MeToo movements. The simple answer to that question is most probably the price tag. Buying thousands of fake Pakistani accounts is simply less expensive than buying accounts with Iranian looking identities. The Pakistani market for SMM is simply huge with lots of resellers competing for clients willing to pay for boosting their social media accounts.

Promotion of fake followers inside Facebook

Additional resources

Active SMM Portal of Promoting Guru
Advertisement of SMM Services inside Facebook


Muhammad Asif advertised openly the SMM services inside Facebook
Another SMM Reseller “Paid Promotion” endorsed by M. Asif

SMM Designer Reseller

SMM Pak Promo reusing SMS Designer Template

smmpakpromo[.]com / promotinguru acts a reseller of SMM Services provided by SMM Designer. Other domains hosted in the same server include:

chandsmm[.]com.
cpcontacts[.]pksmm.com.
fashionsmm[.]com.
goviralsmmpanel[.]com.
mail[.]bestytsmm.com.
mail[.]decentsmm.com.
mail[.]smmguro.com.
mhsmm[.]com.
miansmm[.]com.
pakistanno1smmpanel[.]com.
pkbestsmm[.]com.
powersmmpanel[.]com.
smmdigitalstore[.]com.
smmexpertpanel[.]com.
smmfiverr[.]com.
smmgolden[.]com.
smmpakpanel[.]xyz.
smmpakpromo[.]com.
smmstore[.]pk.
storesmmpanel[.]com.
toptrendsmm[.]com.