Instagram users are being targeted by a new phishing campaign that uses fake copyright infringement alerts to obtain credentials.
According to anti-phishing startup Valimail, the emails distributed as part of this campaign use fake account suspension messages supposedly triggered by a copyright notice, asking users to fill out a ‘Copyright Objection Form’ within 24 hours.
Commenting on the emails, Sophos security writer Paul Ducklin said: “No one wants to get locked out of their social media account, even temporarily, over an unresolved argument about an image.
“As a result, the temptation to click the link on the email is high – especially if you know that the ‘dispute’ is bogus or easily resolved, perhaps because you think you can quickly prove that you took the photos yourself.”
Instagram spear phishing campaign highlights attack sophistication
These spear phishing attacks make use of free domains to create believable subdomains with HTTPS certificates, making it harder for Instagram users to identify the fraudulent nature of the emails, particularly on mobile devices.
“The latest phishing campaign targeting Instagram users shows how advanced impersonation techniques (used in over 80% of all spear phishing messages) can be, and how difficult it is to distinguish them from legitimate emails,” said Peter Goldstein, CTO and co-founder of Valimail.
“By leveraging highly sophisticated social engineering techniques, hackers are attempting to steal user information by directing victims to an identical-looking Instagram page and asking them to complete a copyright infringement form to avoid account deactivation.
“Once login credentials are gathered, the threat actors could takeover Instagram accounts to spam, misinformation and propaganda or to demand a hefty price for the return of the accounts to their rightful owners.”
Social media targeted in phishing attacks
This Instagram phishing campaign follows a number of high-profile YouTube accounts being hacked over the weekend in a “co-ordinated” phishing attack, using fake Google login pages to obtain credentials from users.
“As phishing emails increasingly become harder and harder to detect, it’s important to prevent these malicious emails from ever entering inboxes in the first place,” said Goldstein.
“Most email defenses will focus on the content of the messages and the links they contain, but by focusing on authenticating the identity of the sender, more than 83 percent of malicious emails can be stopped in their tracks.”