So a few days ago my Instagram account was suspended due to suspicious activity, and I found that it had been spewing out (presumably bought) likes to random posts over two weeks, literally thousands of them, and I could see them rolling out live in the "posts you've liked" tab. I also found the same type of activity on my Facebook account, although to a much lesser extent. This is my first (apparent) intrusion in over ten years, so the whole thing really took me by surprise as I'm quite literate when it comes to internet security.
Despite the apps not recording any login activity other than my own, I started with the assumption that my passwords were acquired from a leak, and subsequently changed them along with my recovery emails, and added two-factor authentication to be sure. But to my surprise, the activity continued. I changed my passwords again just to be sure, and then shifted my focus towards looking for malware in my Macbook Pro, and iPhone. Neither Integos Virus Barrier, Kaspersky Internet Security, Malwarebytes or Etrecheck found anything whatsoever.
However, I did find that I was able to turn on and off the likeing activity on Instagram by logging out of it in Opera (which counts as its own "device"), and I can even control it by specifically permitting or blocking the internet access of the Instagram related subtasks of Opera Helper (i.e. a tab or the sidebar "messenger"). So the malware seems to be specifically using and targeting Opera, or at least Chromium.
I haven't downloaded any suspicious software, extensions, or Flash Player updates; although I can't rule out worms or trojans sneaking in with legitimate extensions or software, or being fooled by some sort of a well performed redirect. I've removed all browsing data (overkill but why not), and removed the Instagram sidebar "messenger".
Are there any current previously known malware with this behaviour? And do you have any further suggestions on what do to next, other than say going for the nuclear option and reformatting my SSD? I'm really baffled and curious about what this is and how it's achieving this.
Macbook Pro 13-inch 2017
MacOS Catalina 10.15.7
Opera version 71.0.3770.198
Default security settings
Installed extensions (all installed at least a year ago):
- Lastpass
- Install Chrome Extensions
- Zotero Connector
- Opera Adblocker