Instagram ‘Help Center’ Phishing Scam Pilfers Credentials

Researchers warn that a phishing scam is targeting Instagram users via direct messages on the app.

Turkish-speaking cybercriminals are sending Instagram users seemingly legitimate messages from the social media company, with the aim of stealing their Instagram and email credentials.

Researchers said that the campaign has been targeting hundreds of celebrities, startup business owners, and other entities with sizeable followings on Instagram. This specific attack first came on researchers’ radar after a police officer with more than 16,000 followers on Instagram was targeted, they said.

While previous phishing messages leveraging Instagram as a lure have been sent via email, the attackers in this campaign send the phishing messages on Instagram’s platform itself. They pretend to be the Instagram Help Center and claim that a copyright violation complaint has been filed against the account owner – and that their account is now at risk of being deleted.

“The message also provides a link which masquerades as a form for sending an appeal but which is actually a phishing link,” said researchers with Trend Micro in a Friday analysis. “Opening the link leads to a page where the user will be requested to provide their username. As of writing, the form has no data validation, meaning that any input — even a non-existent account or no input at all — would be accepted.”


Click to expand.

After the victim selects the “Next” button on the phishing landing page, another screen appears asking them for their name, password, email address and email password.

If a victim inputs his credentials and clicks the “Continue” button, the page redirects to the legitimate Instagram login page.

“If the user was already logged in to the social media site before tapping the said button, the form then redirects to their homepage,” said researchers. “This gives the illusion that the form they filled out is officially connected to Instagram.”

Once they have a hold of the Instagram credentials, attackers log into the account, unlink the victim’s cellphone number connected to the account, and change the email linked to the account. And, since they have the email credentials as well, attackers can take over the email account as well.

Attackers have previously targeted Instagram users in various phishing campaigns and scams. A previously 2019 campaign, for instance, used emails requesting the user to confirm their account so that they can receive a verified badge.

However, selecting the “Verify Account” button leads to a phishing page that harvests the user’s email address, credentials, and date of birth. Upon harvesting these, the threat actors have all the details they need to modify the information for recovering a stolen account, said researchers.

Many of the attacks were successful, Jindrich Karasek, threat researcher at Trend Micro, told Threatpost. The impact of the breach depends, Karasek said.

“Some victims can be famous enough to be blackmailed with information found on Google,” Karasek told Threatpost. “Most of the victims also use the same password for all social networks, so they get their whole online identity stolen, exploited and abused.”


Click to expand.

Researchers advised Instagram users to be cautious of seemingly legitimate sites that request account credentials for another site.

Also, users should “examine message content for ungrammatical constructions and spelling mistakes” and “never open links or download attachments from suspicious sources. Hover over a URL to check if it reveals a different address other than the expected website,” said researchers.

Threatpost has reached out to Instagram for further commentary.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.