Instagram Security Warning About New Phishing Attack
Security researchers at Sophos have warned of the latest phishing attack targeting Instagram users. And this is a campaign with a devious twist. The attackers mock and fake up what’s intended to look like two-factor authentication (2FA) to seem legitimate. But it’s not 2FA. It’s a standard attempt to steal login credentials and to amass usernames and passwords.
The beginning phishing attack emails include what looks like a 2FA code. The user is instructed to input the code when they login to prove their identity for authentication. The baseline of this attack is that an unauthorized login has taken place. Everything displayed is fake, from the login warning, the email and of course the 2FA code—which is just a clever twist to depict some form of security.
The email link takes victims to a fake Instagram login page, described by Sophos as “much more believable” than many of the standard email phishing attacks uncovered. “We don’t like to admit it,” the research team reports, “but the crooks thought this one through.”
The message and login page are both “clean,” with just a few punctuation errors indicating the dangers lurking within. And, of course, a URL that doesn’t fit—”if you click through, you ought to spot the phishing attack from the domain name–it nearly spells ‘login’, but doesn’t quite.”
There’s also an HTTPS padlock, which offers a false sense of security. However, users still need to check the website is right. The interface is clean. “The phishing page itself is a perfectly believable facsimile of the real thing, and comes complete with a valid HTTPS certificate.”
And as for the reassuring padlock? “A site without a padlock isn’t to be trusted—but a site can’t automatically be trusted just because it has a padlock and was advertised with emails that were spelt correctly.”
Anyway, the advice to Instagram’s 1 billion users is to use common sense. If users receive any unexpected emails, they must ignore and delete them. In case there’s a need to change a password or confirm an identity, the app, and the actual website will navigate users to the right place.