For anyone invested in social media, copyright infringement is a big deal. Users should be able to protect their intellectual property from miscreants and opportunists trying to ride their coattails. Therefore, most platforms require users to report a breach, but this effective practice has joined a long list of communication methods used by cybercriminals.
Trustwave researchers have discovered that criminal gangs are impersonating Instagram’s copyright reporting emails in phishing campaigns, which aim to trick users into sharing their information.
How the Insta-phish came about
Instagram makes it easy for account owners to report if they see other users posting their content without permission by clicking this link and filling out the form. Reported scores will be notified of the option to appeal.
Cybercriminals have latched onto this useful system as an opportunity to trick Instagram users out of valuable personal information. We’ve analyzed malicious emails in the wild that mimic a policy violation notice, including a ‘Appeal Form’ button. Clicking on the link opens the device’s default browser and leads to a phishing website that hosts a form that asks for more personal details, supposedly to confirm the user’s identity.
The form asks for a username, password (as well as asking for two-factor authentication), location and phone number — all of which seem to work properly.
We played with applications, identifying ourselves as ‘dummyusername’ and password ‘dummypassword’, being ‘everywhere’ and remembering phone number ‘987654321’. As each piece of information is entered, we monitor the data and send it to the criminal’s detective — inevitably resulting in a hapless thief. Once all the information has been harvested, the victim is sent to Instagram’s help page to resolve the confusion of justice.
Why is this method of attack so successful?
This vicious campaign is designed to deceive victims and avoid detection and coordination of dirty tricks. Using two classic techniques from the social engineering playbook, hackers on Instagram are banking on a brand of authenticity, combining that knowledge with a sense of urgency.
Instagram users will need to act quickly if they discover that their content is being taken or misused, and will be particularly sensitive to false accusations of copyright infringement. Criminals hope that these factors will cloud their target’s judgment, and they act without waiting to see anything specific about the situation.
These social engineering techniques are enhanced by some technical tricks to avoid human detection and automated anti-phishing tools. The email appears to have been sent from ‘metahelpcenter.org’ — a non-existent, local address that is currently for sale.
It may seem like a bit more familiar. Analyzing the email in a text editor, we found the URL of the ‘Call Form’ button uses an encoder to avoid detection. It first appears as hxxps://l[.]wl[.]co/l?u=, before redirecting to the actual phishing URL, hxxps://helperlivesback[.]ml/5372823.
The WL[.]COdomain is provided by WhatsApp. Another reliable brand from Instagram’s parent company Meta, this one seems to be fair to users browsing, and it confuses many URL search solutions.
Keeping your data out of the hands of hackers
Scams like this are very dangerous as the victim’s personal information is used for cyber attacks and fraud. Cybercriminals can use the information to create targeted and personalized phishing attacks and phone number data can be used to access two-factor authentication (2FA). The information can also be used to commit fraud such as insurance fraud.
With many organizations investing in their social presence, this method can also be used to target businesses and individuals.
As the world of cybercrime has become increasingly organized, many terrorist actors now specialize in harvesting information to sell on the dark web. So, stolen information ends up in the hands of many criminal gangs and thieves. This feature also highlights the increasingly popular phishing scam that uses legitimate domains to fool URL checkers, before quickly redirecting to the real URL for the phishing site. WhatsApp is one of the most popular domain options used by malicious actors due to its familiarity and connection with many social channels. Most standard URL search engines can be spoofed because phishing URLs are usually entered into URL query parameters.
Protection against these methods requires ongoing security awareness training as well as anti-phishing solutions that can identify more subtle signs of URL redirection. A multi-layered approach to email security that includes policy management and content inspection increases the chance of detecting the first phishing email before it lands in a victim’s inbox.
Image credit: blazerrss / set photo
Senior Security Research Director Karl Sigler, Trustwave SpiderLabs.