The popular platform has been used by threat actors to target a high-profile insurance firm based in New York, compromising around 300 employee email accounts in a social engineering attack, says a report by communication security company Armorblox.
The phishing scam impersonated Instagram using convincing fake branding and logos, informing users that their account would be deleted within 24 hours due to “copyright infringement” – instilling a “sense of urgency” in victims to click on a malicious link.
“The email attack had a social engineered payload, spoofing the design of a legitimate email requesting verification of an Instagram membership,” said Armorblox. “The subject line simplistically read ‘Instagram Support’ and the sender address was manipulated to read the same, at first glance.
“Upon clicking the link, the user was taken to a spoofed Instagram branded ‘account verify’ landing page. The fake page had the Instagram logo and a ‘verify’ button, which when clicked took the end user to an ‘account verification form’. The user was then asked to enter username credentials.”
At this point the Meta logo was also used to further instill a sense of trust in victims, who had their credentials harvested by cybercriminals after entering them.
“The email was sent from a legitimate Outlook domain and the attacker used multiple techniques in order to bypass Google email security,” added Armorblox.
The cunning disguise had just one flaw. On closer inspection, the bogus email domain – spoofed to look like it read “Instagram Support” – was in fact spelled with an uppercase L and not an uppercase I.
But the crooks circumvented this by crafting a long email address, meaning that many mobile phone users would only see the characters before the @ sign – in this case “membershipform” – thus allaying their suspicions.
“This socially engineered attack impersonated a well-known brand, designed to create a sense of urgency in the end user around a commonly used and needed application in order to complete daily tasks,” said Armorblox.
To avoid falling for similar scams in future, email users are advised not to open unexpected messages or use the same passwords across personal and business apps. Armorblox is also urging users to adopt multi-factor authentication on all email accounts where possible.
*This article was amended on March 21. The original version reported that the fake Instagram email domain was spelled with a lowercase L, and not an uppercase L as was actually the case.
More from Cybernews:
Subscribe to our newsletter