Instagram Impersonators Target Thousands, Slipping by Microsofts Cybersecurity

The socially engineered campaign used a legitimate domain to send phishing emails to large swaths of university targets.

Cyberattackers have targeted students at national educational institutions in the US with a sophisticated phishing campaign that impersonated Instagram. The unusual aspect of the gambit is that they used a valid domain in an effort to steal credentials, bypassing both Microsoft 365 and Exchange email protections in the process.
The socially engineered attack, which has targeted nearly 22,000 mailboxes, used the personalized handles of Instagram users in messages informing would-be victims that there was an unusual login on their account, according to
a blog post
published on Nov. 17 by Armorblox Research Team.
The login lure is nothing new for phishers. But attackers also sent the messages from a valid email domain, making it much harder for both users and email-scanning technology to flag messages as fraudulent, the researchers said.
Traditional security training advises looking at email domains before responding for any clear signs of fraud, they explained in the post. However, in this case, a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domains validity.
As phishing has been around so long, attackers know that most people who use email are on to them and thus familiar with how to spot fraudulent messages. This has forced threat actors to
get more creative
in their tactics to try to fool users into thinking phishing emails are legitimate.
Moreover, those of university age who use Instagram would likely be among the savviest of internet users, having grown up using the technology — which may be why attackers in this campaign in particular were so careful to appear authentic.
Whatever the reason, the campaigns combination of spoofing, brand impersonation, and a legitimate domain allowed attackers to send messages that successfully passed through not only Office 365 and Exchange protections, but also DKIM, DMARC, and SPF alignment email authentication checks, the researchers said.
Upon further analysis from the Armorblox Research Team, the sender domain received a reputable score of trustworthy and no infections in the past 12 months of the domains 41 months of existence, they wrote in the post.
Researchers at Armorblox said the attacks started with an email with the subject line We Noticed an Unusual Login, [user handle], using a common tactic to instill a sense a urgency in the recipient to get them to read the email and take action.
The body of the email impersonated the Instagram brand, and appeared to be come from the social media platforms support team, with the senders name, Instagram profile, and email address — which was the perfectly palatable [email protected] — all appearing legitimate, they said.
The message let the user know that an unrecognized device from a specific location and machine with a specific operating system — in the case of an example shared by Amorblox, Budapest and Windows, respectively — had logged in to their account.
This targeted email attack was socially engineered, containing information specific to the recipient — like his or her Instagram user handle — in order to instill a level of trust that this email was a legitimate email communication from Instagram, the researchers wrote.
Attackers aimed for recipients to click on a link asking them to secure their login details included at the bottom of the email, which lead to a fake landing page that threat actors created to exfiltrate user credentials. If someone got that far, the landing page to which the link redirects, like the email, also mimicked a legitimate Instagram page, the researchers said.
The information within this fake landing page provides the victims a level of detail to both corroborate the details within the email and also increase the sense of urgency to take action and click the call-to-action button, This Wasn’t Me, the researchers said.
If users take the bait and click to verify their accounts, theyre directed to a second fake landing page that also impersonates Instagram credibly and are prompted to change account credentials on the premise that someone may already have stolen them.
Ironically, of course, its the actual page itself that will be doing the stealing if the user logs in with new credentials, the researchers said.
As threat actors get more sophisticated in how they craft phishing emails, so, too, must enterprises and their users in terms of detecting them.
Since the Instagram phishing campaign managed to
bypass native email protections
, researchers suggested that organizations should augment built-in email security with layers that take a materially different approach to threat detection. To help them find a solution, they can use trusted research from firms such as Gartner and others on which options are the best for their particular business.
Employees also should be advised or even trained to watch out for social engineering cues that are becoming more common in phishing campaigns rather than quickly execute the requested actions received in email messages, which our brains have been trained to do, the researchers said.
Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email, they wrote.
Additionally, the researchers said, employing
multifactor authentication
and password-management best practices across both personal and business accounts can help avoid account compromise if an attacker does get ahold of a users credentials through phishing.

Last News
▸ Google has three months to comply with privacy law. ◂ Discovered: 26/12/2024 Category: security	▸ Firefox improves Do Not Track feature. ◂ Discovered: 26/12/2024 Category: security	▸ Crime Scene Investigation: Atlanta? No, its Phone Fingerprinting. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Instagram Impersonators Target Thousands, Slipping by Microsofts Cybersecurity