Do Not Interact with the Fake Instagram 'Copyright Objection Form' Message
Phishers seem to be on a roll at the moment, and they appear to be especially interested in social media accounts. We already told you about the campaign that hit a number of popular YouTube content creators, locking them out of their channels, and yesterday, Sophos' team discussed another clever phishing attack, this time aimed at Instagram users.
This type of thing isn't really that surprising. In fact, Instagrammers get phished every single day. The reason this particular attack made the news, however, lies with the fact that it's well designed and much more convincing compared to some of the crooks' previous efforts.
The social engineering
As most of you probably know, the more difficult part of pulling off a successful phishing attack is convincing the users to give away their login credentials voluntarily. The crooks have used a number of different social engineering techniques to gain people's trust, and it must be said that some have proven to be more convincing than others. The scenario in the current attack on Instagrammers, for example, is rather believable.
The email is designed to fool the victim into thinking that Instagram has found content on their account that infringes someone else's copyright. The message says that the offending profile will be "suspended", and the only way to stop this is to object to the copyright infringement by following a link in the email. Here's the entire message:
We sorry, we have found content in your account that will violate our copyright laws.
We your account will be suspended within 24 hours.
If you think we've made a mistake, please click the "Copyright Objection Form" button and fill out the form.
We will feedback to you by email 24 hours after completing the form.
As you can see, the message is riddled with grammatical errors, but believe it or not, it's not as bad as the emails we've seen in other campaigns. And while they are unlikely to be mistaken for Harvard professors, the crooks do know how to format an email. The logo is in the right place, the fonts look correct, and the fine print is as hard to read as you'd expect. All this, coupled with the fact that the victims are scared into thinking that they are about to lose access to their accounts could lead them to overlook the grammatical mistakes and click on the "Copyright Objection Form" button.
The technical execution
Users who do click through will land on a page that once again does a rather good job of imitating Instagram's real interface. To be on the safe side, however, the phishers have taken one more step to ensure that users don't suspect anything. They registered a free domain with a .cf TLD to host the scam, and they created a couple of subdomains which means that the actual phishing URL looked something like this:
On the one hand, "Instagram" is the first word the users see which could put their mind at ease. In addition to this, thanks to the subdomains, people using lower screen resolutions can't see the entire URL.
Some of you may have also noticed the fact that the phishing page is delivered through HTTPS. We’ve mentioned in the past that phishing crews that are serious about their business tend to install SSL certificates on their bogus web pages, which goes to show that the people running this particular campaign are not messing about.
Once they land on the phishing page, users are faced with a warning which more or less reiterates what was already said in the email in the same less-than-perfect English, and below it, they have a button which would supposedly allow them to appeal the copyright infringement claim against them. If they click on it, they will be led to a page that asks them for their birthday, their username, and their password. Sophos' experts noted that the phishing page records only the login credentials and discards the dates of birth.
After victims submit their usernames and passwords, they are led to a loading screen which is followed by a page telling them that their copyright objection has been received and that they will be contacted within 24 hours. Finally, they are redirected to Instagram's real login form.
Multiple phishing campaigns running simultaneously
This is not the only phishing attack on Instagram users Sophos' experts have detailed recently. On Monday, they discussed another campaign that was fooling victims with the help of bogus 2FA codes. Some details could even suggest that the two operations are run by the same group. Once again, the free domain hosting the phishing form has a .cf TLD and an SSL certificate, and although the grammatical errors are fewer, the phishing emails and login forms are well-designed and look pretty much identical to the real thing.
We won't be exaggerating if we say that compared to the average phishing crew, the people running these two campaigns have a higher level of sophistication. Even the most well thought through attack won't affect you if you keep a few basic principles in mind, though. Stay away from the links you receive in your inbox as much as possible, and if you do need to click on them, hover over them with your mouse and double-check the URL you're heading to. Take every warning with a grain of salt, especially if the email sounds particularly urgent, and be sure to learn more about every single one of the procedures from the online service provider itself, not from an email that has just landed in your inbox.