Phishing for likes: How cybercriminals are exploiting Instagram's copyright reports
For anyone invested in social media, copyright infringement is a big deal. Users must be able to protect their intellectual property from imposters and opportunists trying to ride their coattails. As such, most platforms invite content owners to report infringement, but this useful function has joined the long list of communication channels cybercriminals exploit.
Trustwave researchers have found criminal gangs are impersonating Instagram’s copyright report emails in phishing campaigns, angling to trick users into sharing their details.
How the Insta-phish unfolds
Instagram makes it easy for any account owner to file a report if they find other users are posting their content without permission simply by clicking this link and filling in the form. Accounts that have been reported will be notified about the option to appeal.
Cybercriminals have latched onto this handy system as an opportunity to scam Instagram users out of important personal information. We have analyzed malicious emails in the wild that mimic the typical infringement notice, including an 'Appeal Form' button. Clicking the link will open the device’s default browser and redirect to a phishing website that hosts a form asking for various personal details, allegedly to confirm the user’s identity.
The form asks for a username, password (even asking for this twice to double check), location and phone number -- all of which seems fairly in keeping with a legitimate process.
We played along with the requests, identifying ourselves as 'dummyusername' with the password 'dummypassword', located 'everywhere' and with the memorable phone number '987654321'. As each piece of information was entered, we monitored the data being sent over to the criminal’s server -- no doubt resulting in a disappointed scammer. Once all the information has been harvested, the victim is redirected to Instagram’s real help page to complete the illusion of legitimacy.
Why is this attack tactic so successful?
This malicious campaign is designed to fool victims and evade detection with an effective combination of dirty tricks. Using two classic tactics from the social engineering playbook, the scammers are banking on Instagram as being a trusted brand and combining that recognition with a sense of urgency.
Instagram users will naturally want to act quickly if it appears their content is being removed or used illegally and they will likely react strongly to being falsely accused of copyright infringement. The criminals are hoping these factors will cloud their targets’ judgement and cause them to act without pausing to notice anything peculiar about the situation.
These social engineering tactics are boosted by some technical tricks to evade detection of the human eye and automated anti-phishing tools. The email itself appears to be sent from 'metahelpcenter.org' -- an address that doesn’t exist, at a domain that is currently for sale.
Perhaps even more cunning is the form itself. Analyzing the email in a text editor, we found the 'Appeal Form' button’s URL uses an evasive redirector to evade detection. It first appears as hxxps://l[.]wl[.]co/l?u=, before rerouting to the true phishing URL, hxxps://helperlivesback[.]ml/5372823.
The WL[.]COdomain is owned by WhatsApp. As another trusted brand owned by Instagram’s parent company Meta, this will seem perfectly legitimate to any user that scrutinizes it, as well as fooling many URL detection solutions.
Keeping your data out of the hands of scammers
Phishing scams like this can be very harmful as the victim’s personal details will be exploited for cyberattacks and fraud. Cybercriminals can use the information to craft more targeted and personalized phishing attacks and phone number data can potentially be used to get through two-factor authentication (2FA). The details may also be used to commit fraud such as insurance scams.
With so many organizations investing in their social presence, this tactic also can be used to target enterprises as well as individuals.
As the cybercriminal underworld has become increasingly organized, many threat actors now specialize in harvesting details to sell on the dark web. As such, stolen information could end up in the hands of multiple criminal gangs and scammers. This campaign also highlights the increasingly common phishing trick of using legitimate domains to deceive URL checkers, before rapidly redirecting to the actual URL for the phishing site. WhatsApp is one of the most popular domain choices used by threat actors due to its recognition and connection with multiple social channels. The trick will fool most standard URL detection systems as the phishing URLs are largely embedded in the URL query parameters.
Defending against these tactics requires on-going security awareness training as well as anti-phishing solutions that can identify the more subtle signs of URL redirection. A multi-layered approach to email security that includes strict policy management and content scanning will also increase the chances of detecting the initial phishing email before it can land in the victim’s inbox.
Karl Sigler is Senior Security Research Manager, Trustwave SpiderLabs.