A new phishing scam that tricks Instagram users into handing over their sensitive information has been detected by security researchers. The scam makes use of simple social engineering techniques such as failed login attempt alerts coupled with what looks like two-factor authentication (2FA) codes.
How does it work?
According to Paul Ducklin from Sophos, scammers use phishing emails to send fake Instagram login alerts, stating that someone has attempted to log in to the target’s account. The recipients are then asked to confirm their identity by clicking on a link that comes in the message.
To make it look less suspicious, the message includes a fake 2FA code which is supposed to be used by the victim while they log in on the fake Instagram page.
What are the red flags?
The browser does not raise an alarm as soon as the phishing page is opened. It is secured with a valid HTTPS certificate and displays a green padlock - which indicates the site is safe.
There is a small twist in the domain name of the Instagram. The phishers have designed the fake Instagram page with the ccTLD domain .CF - the domain for the Central African Republic.
“If you click through, you ought to spot the phishiness from the domain name alone – we’ve redacted the exact text here, but it’s a .CF (Centrafrique) domain that nearly spells 'login', but doesn’t quite,” said Ducklin.
Leveraging Instagram to steal login credentials from users is not new. In April, for instance, two separate series of Instagram phishing attacks dubbed ‘The Nasty List’ and 'The HotList’ made headlines. The scammers behind these campaigns targeted the users to hijack their Instagram accounts.