Instagram users are currently targeted by a new phishing campaign that uses login attempt warnings coupled with what looks like two-factor authentication (2FA) codes to make the scam more believable.
Crooks use phishing to trick potential victims into handing over sensitive information via fraudulent websites they control with the help of a wide range of social engineering techniques, as well as messages designed to look like they're sent by someone they know or a legitimate organization.
In this case, the phishing e-mails distributed by the attackers behind this campaign use fake Instagram login alerts stating that someone attempted to log in to the target's account, asking them to confirm their identity via a sign-in page linked within the message.
Authentication codes used to add legitimacyThese messages are designed to look as close as possible to what official messages coming from Instagram to avoid raising any suspicions before the target is redirected to the attackers' phishing landing page.
"Apart from a few punctuation errors and the missing space before the word ‘Please’, this message is clean, clear and low-key enough not to raise instant alarm bells," details Sophos' Paul Ducklin who analyzed the campaign.
To further increase the illusion that they are official Instagram alerts, the crooks also add a code which apparently should be used as a second authentication code for identity confirmation.
"The use of what looks like a 2FA code is a neat touch: the implication is that you aren’t going to need to use a password, but instead simply to confirm that the email reached you," Ducklin adds.
Instagram phishing email sampleOnce on the phishers' landing page, the targets see a perfectly cloned Instagram login page secured with a valid http certificate and displaying a green padlock to alleviate any doubts that it's the real deal.
However, there is a small little twist: instead of displaying the instagram.com domain in the web browser's address bar, the phishers use a .CF domain (the country code top-level domain for the Central African Republic).
This stands to show that even if one sees a green padlock saying that the connection is secured, also checking if the domain is a legitimate one used by the website or service is a must.
"If we had to guess, we’d suggest that the crooks didn't get quite as believable a name as they wanted because they went for a free domain name," explains Ducklin.
To avoid falling for an Instagram phishing scam like this one, you should never enter your sign-in credentials if the page asking you to log in does not belong to the instagram.com web site.
Phishing page vs Instagram login pageWhat to do after being phished or hackedThis is not the first or the last phishing campaign targeting Instagram users and some users are bound to fall for the scam given that the crooks come back with new attacks.
In April for instance, two separate series of Instagram phishing attacks dubbed 'The Nasty List' and 'The HotList' was sweeping through the social network going after the users' login credentials and spreading through previously hacked accounts that sent messages to followers.
In case you had your Instagram credentials stolen in such an attack or had your account hacked but you still have access to your account, you should first check if your correct email address and phone number are still associated with the account.
To do this you have to go to your profile and select Edit Profile, then scroll to the bottom to view the email address and phone number. If they've been swapped with attacker-controlled ones, try to enter your correct info. After this, you should change the account's password by following these instructions provided by Instagram.
The password change will lead to all your devices currently logged into your account to be automatically logged off, allowing you to log back in to regain control of your Instagram account.
Below are Instagram's instructions on what to do if you're still able to log into your account:
• Change your password or send yourself a password reset email
• Revoke access to any suspicious third-party apps
• Turn on two-factor authentication for additional security
If however, you lost access to your account after your Instagram account has been hacked, you can use
these instructions to report the incident to Instagram's security.
Instagram will reinstate it after verifying your identity via a photo or "the email address or phone number you signed up with and the type of device you used at the time of sign up."
source
