First discovered by security researchers at Armorblox, this campaign begins with an email that has the subject line: “We Noticed An Unusual Login, [user handle]. Like other phishing attacks, it tries to instill a sense of urgency in potential victims that may be worried that someone else logged into their Instagram account. While the email appears to come from Instagram’s support team at first glance, you can tell it’s a fake due to the email address being incorrect. These phishing emails come from ‘contact@instagramsupport.net’ but the company actually uses the email “support@instagram.com” to reach out to users if there is a problem with their account. However, many users might fall for this scam since the fake emails used in this campaign contain their actual Instagram user handle to instill a sense of trust.
Fake Instagram landing page
If an unsuspecting user clicks on the “secure your account here” link within one of these phishing emails, they are then taken to a fake landing page designed to steal their Instagram password. The fake landing page includes both Instagram branding and details about the unusual login attempt to make it appear more convincing. Below a map showing where the login took place, there are two buttons: “This Wasn’t Me” and “This Was Me”. Instagram users that have gotten this far will likely click on “This Wasn’t Me” as they think it’s the right thing to do to protect their account. However, this takes them to another page that appears like a password reset portal where they need to enter their old password along with a new one. What makes these phishing emails particularly worrying is how they were able to bypass Microsoft Exchange’s security protections and its Secure Email Gateway. These fake emails also passed both SPF and DMARC email authentication checks which shows the cybercriminals responsible put a good deal of work into making this phishing campaign appear legitimate.
How to stay safe from phishing emails
In order to stay safe from this phishing campaign and others like it, you should always carefully scrutinize any email that lands in your inbox before clicking on any of the links contained within it. You should look for spelling, grammar and capitalization errors and use a search engine to check to make sure the email address matches a company’s official support email. At the same time, you can actually check Instagram and other social media platforms to see your recent login activity as opposed to taking any urgent emails in your inbox at face value. This support document (opens in new tab) explains that you can view your recent login activity from within the Instagram app on iOS and Android. If you don’t see the unusual login attempt detailed in the email in Instagram, then you know the email is actually fake. In a blog post (opens in new tab) detailing its findings, Armorblox recommends that you enable multi-factor authentication (MFA) for your Instagram and other social media accounts. This way, a hacker will need both your password and your smartphone to login into your account. Armorblox also highlights the dangers of reusing passwords across multiple accounts because if hackers gain access to one of them, they can take over your other accounts. With Black Friday just around the corner, expect to see even more phishing emails in your inbox. However, if you carefully look these fake emails over and don’t let your emotions get the best of you, you won’t have your credentials stolen.