Cyberattackers Target Instagram Users With Threats of Copyright Infringement

  /     /     /  
Publicated : 23/11/2024   Category : security


Cyberattackers Target Instagram Users With Threats of Copyright Infringement


A novel campaign is using an emerging URL redirection tactic to try to trick business users and others into clicking on an embedded link and giving up credentials.



Threat actors are targeting Instagram users in a new
phishing campaign
that uses URL redirection to take over accounts, or steal sensitive information that can be used in future attacks or be sold on the Dark Web.
As a lure, the campaign uses a suggestion that users may be committing copyright infringement — a great concern among
social media influencers
, businesses, and even the average account holder on Instagram, researchers from Trustwave SpiderLabs revealed in
an analysis
shared with Dark Reading on Oct. 27.
This type of infringement phishing was also seen earlier this year, in a separate campaign
targeting users of Facebook
 — a brand also under Instagram parent company Meta — with emails suggesting users had violated community standards, the researchers said.
This theme is not new, and we have seen it from time to time over the last year, Homer Pacag, Trustwave SpiderLabs security researcher, wrote in the post. It’s the same copyright infringement trickery again, but this time, the attackers gain more personal information from their victims and use evasion techniques to hide phishing URLs.
That evasion comes in the form of URL redirection, an emerging tactic among threat actors who
are evolving their phishing techniques
to be sneakier and more evasive as internet users get more savvy.
Instead of attaching a malicious file that a user must click on to reach a phishing page — something that many people already know seems suspicious — URL redirection includes in a message an embedded URL that appears legitimate but which ultimately leads to a malicious page that steals credentials instead.
The Instagram campaign that researchers discovered begins with an email to a user notifying him or her that complaints were received about the account infringing upon copyright, and that an appeal to Instagram is necessary if the user doesnt want to lose the account.
Anyone can file a
copyright report
with Instagram if the account owner discovers that their photos and videos are being used by other Instagram users — something that happens often on the social media platform. Attackers in the campaign are taking advantage of this to try to trick victims into giving away their user credentials and personal information, Pacag wrote.
The phishing emails include a button with a link to an appeals form, informing users they can click the link to fill out the form and later will be contacted by an Instagram representative.
Researchers analyzed the email in a text editor and found that, rather than directing users to the Instagram site to fill out a legitimate report, it employs URL redirection. Specifically, the link uses a URL rewrite or redirector to a site owned by WhatsApp — hxxps://l[.]wl[.]co/l?u= — followed by the true phishing URL — hxxps://helperlivesback[.]ml/5372823 — found in the query part of the URL, Pacag explained.
This is an increasingly common phishing trick, using legitimate domains to redirect to other URLs in this fashion, he wrote.
If a user clicks on the button, it opens his or her default browser and redirects the user to the intended phishing page, going through a few steps ultimately to steal user and password data if the victim follows through, the researchers said.
First, if the victim enters his or her username, the data is sent to the server via the form POST parameters, the researchers said. A user is prompted to click a Continue button, and if this is done, the page displays the typed username, now prefixed with the typical @ symbol used to signify an Instagram username. Then the page asks for a password, which, if entered, also is sent to the attacker-controlled server, the researchers said.
Its at this point in the attack where things deviate slightly from a typical phishing page, which is usually satisfied once a person enters their username and password into the appropriate fields, Pacag said.
The attackers in the Instagram campaign dont stop at this step; instead, they ask the user to type in his or her password once more and then fill in a question field asking in which city the person lives. This data, like the rest, also is sent back to the server via POST, Pacag explained.
The last step prompts the user to fill in his or her telephone number, which presumably attackers can use to get past two-factor authentication (2FA) if its enabled on an Instagram account, the researchers said. Attackers also can sell this info on the Dark Web, in which case it can be used for future scams that initiate via telephone calls, they noted.
Once all of this personal info is harvested by attackers, the victim is finally redirected to Instagrams actual help page and the beginning of the authentic copyright reporting process used to initiate the scam.
With URL redirection and other
more evasive tactics
being taken by threat actors in phishing campaigns, its getting harder to detect — for both email security solutions and users alike — which emails are legitimate and which are the product of malicious intent, the researchers said.
It can be difficult for most URL detection systems to identify this deceptive practice, as the intended phishing URLs are embedded mostly in the URL query parameters, Pacag said.
Until technology catches up with the constantly changing tactics of phishers, email users themselves — especially in a corporate setting — need to maintain a higher degree of alert when it comes to messages that appear suspicious in any way to avoid being fooled, the researchers said.
Ways users can do this are by checking that URLs included in messages match the legitimate ones of the company or service that claims to be sending them; only clicking on links in emails that come from trusted users with whom people have communicated with previously; and checking with IT support before clicking on any embedded or attached link in an email.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cyberattackers Target Instagram Users With Threats of Copyright Infringement