Malicious social media posts said to have been viewed more than 200,000 times

Cybercriminals have manipulated footage from Russian news broadcasters as part of a phishing campaign, conducted via Instagram, that purports to offer Russian citizens a one-off government payment.

In a bid to dupe victims into paying a registration fee to secure their lump sum, fraudsters have spliced together various news segments to create a narrative around a fictional presidential decree offering Russians funding to start a business.

In a post on its website, Moscow-based antivirus outfit Doctor Web said the videos depict Russian citizens benefiting from the so-called ‘social contracts program’ as well as demonstrating how to enter payment details into phishing websites.

The fraudsters have further burnished the scam’s credibility with fake photos and user comments from citizens who have supposedly received their government payout.

Targeted ads

Doctor Web said the fraudulent posts are being distributed through targeted advertising via Instagram accounts purporting to be operated by three state-run TV networks: Channel One Russia, Russia-1, and Russia-24.

They said the two phishing websites collecting payments – https://news-post.*****.net and https://minekonovrazv.*****.net – have valid digital signatures and are designed to appear as though they were operated by the Russian Ministry of Economic Development.

Once victims have entered their name and date of birth, the sum to which they are supposedly entitled is generated.

Fraudsters have spliced together news segments in a bid to
dupe Russian Instagram users into paying a fake registration fee

In reality, this is a random amount usually exceeding ₽100,000 ($1,580). At this point they must pay a fee – also variable up to ₽300 ($4.70) – to complete the fake registration.

The checkout page contains fields for entering a phone number, name, and bank card information, including CVC code.


Doctor Web reports that the malicious posts have been viewed more than 200,000 times.

The antivirus vendor’s latest research comes as social engineering attacks can harness increasingly sophisticated technologies for manipulating audio and video, including ‘deepfakes’ that can successfully impersonate a person’s voice or likeness.

The Daily Swig has contacted Doctor Web and Instagram to ascertain whether there are plans to remove the offending content.

INSIGHT A guide to spear-phishing – how to protect against targeted attacks