A New Phishing Scam On Instagram Uses 2FA As Bait

Security researchers from Sophos Group reported a phishing scam attempting to trick users of Instagram with fake two-factor authentication messages.

The messages, claiming that someone has tried to access a user’s Instagram account, appear deceptively close to official Instagram messages. “Apart from a few punctuation errors and the missing space before the word ‘Please’, this message is clean, clear and low-key enough not to raise instant alarm bells,” says Sophos Group.

In the past, most phishing scams came in the form of emails warning of problems at financial institutions the targeted person had never done business with making the bulk of phishing attacks easy to spot. Average phishing attacks have grown in complexity and scope over time. A few years ago it became common for phishing websites to use SSL encryption to seem legit.

These new hacks make use of a fake code for two-factor authentication at the end of the message. This is a very interesting touch as a security code of any form implies a level of legitimacy.

After the users click the link in the email, they are taken to a website on a .cf domain that is mostly identical to the Instagram signup page. “The phishing page itself is a perfectly believable facsimile of the real thing, and comes complete with a valid HTTPS certificate,” say the researchers.

The domain name (not disclosed by the researchers) uses an SSL certificate showing the encrypted padlock on the scam page. This is another factor adding a sense of legitimacy for victims of this scam.

“A site without a padlock definitely isn’t to be trusted, in the same way that typos and grammatical errors should turn you away; but a site can’t automatically be trusted just because it has a padlock and was advertised with emails that were spelled correctly,” the researches note.

Instagram, as the fifth-largest social network in the world (by monthly active users), is a popular target for hackers. In March Instagram users were targeted by a phishing campaign using fake copyright messages.

In that case, (much like this phishing scam) users received an email from an official-looking URL that read, “We regret to inform you that your account will be suspending because you have violated the copyright laws. Your account will be deleted within 24 hours. If you think we make a mistake please verify, to secure your account.”

In both phishing attacks, old and new, users were directed to a fake Instagram login page where they were prompted to enter their credentials.

If you’re not well versed in phishing scams, one of the best resources to learn is, of all things, a video from comedian Nathan Fielder. Fielder recruited security expert Carsten Schürmann to demonstrate how the Emmy online voting system could be hacked.

Staying Safe From This Scam

The Sophos researchers advise never to click on a sign-in link received in an email, and to always sign in via the app or webpage. Also, check carefully for unexpected domain names; new top-level domain names and domains with non-Latin characters are common in phishing attacks. Finally, they advise users to be generally skeptical of any notices that their accounts may have been compromised.

As a side note, hacks like this remain one more reason for my personal social revolt.

Header Image: Instagram. Other Image: Sophos

Comments are closed, but trackbacks and pingbacks are open.