The professionally crafted email attack includes a socially engineered payload in the form of a malicious email link that, once clicked, takes the victim to a fraudulent Instagram account verification page with the end goal of credential theft.
What is Inside the Scam Email?
The quality of the phishing email attack is “spot on” because the malicious link inside it leads to a very well-crafted “spoofed” website, with all the bells and whistles necessary to dupe users into trusting the process, Armorblox said. In an example screenshot provided by Armorblox, the subject line reads “Instagram Support” and the sender address reads: “Lnstagram Support ” which indicates a Turkish Microsoft Outlook domain in this instance. The body of the email stated that the recipient has violated Instagram’s copyright laws and now has to verify membership within 24 hours by clicking the button in the email. Clicking this button leads to a fraudulent page with a well-made Instagram logo and a “verify” button. If a user keeps clicking through, the next step is an “Account Verification Form” page that will ask for credentials. Every component of the spoofed page “from the email to the account verification form include Meta and Instagram branding and logos” which instills trust in the user, Armorblox emphasized.
Scam Bypasses Google Email Security
The scam is targeting employees at a New York-based life insurance company with branches across the U.S., and has aimed at about 300 mailboxes, Armorblox wrote. The name of the company in question has not been mentioned in the report. An email captured by Armorblox “was sent from a legitimate outlook domain” and multiple techniques were used by the attack to bypass Google’s email security. The language used in the bait email, such as “violating policy” and “within 24 hours” manipulates users into trying to save their Instagram account. Secondly, both the email subject line and body are written in “plain text” which, combined with a legitimate domain, can squeeze through Google’s security algorithms, Armorblox noted. “Additionally, the sender crafted a long email address, meaning that many mobile users would only see the characters before the “@” sign, which in this case is ‘membershipform’ – one that would not raise suspicion” Armorblox added. The techniques used in this instance to obfuscate the malicious process from security algorithms are:
Social engineering Brand impersonation Valid domain names
What Gave it Away
As is usually the case with phishing scams, a spelling error or suspicious sender address can give away the whole scheme. In this case, it was a typo in the sender’s address, Armorblox said. However, the typo is easy to miss, especially when the victim is in a rush. The typo in question is the letter “L” in the sender address: “Lnstagram Support” as opposed to the correct spelling: “Instagram Support.”
Security Tips and Recommendations
To avoid falling for phishing scams like this, users should heed the following recommendations:
Do not open unexpected emails Organizations should opt for built-in email security Never use the same passwords across both personal and business apps Always check the sender address and the body of an email for suspicious components or typos Deploy multi-factor authentication (MFA) across all possible accounts
To find out the latest on phishing and Instagram-related cybercrime, read our full guide on the Top Instagram Scams of 2022.
