Instagram phish poses as copyright infringement warning – don’t click!

Last month, we wrote about an Instagram scam that presented you with what looked like a two-factor authentication (2FA) code.

This time, the crooks are tapping into a concern that many of us have – falling foul of copyright law.

Lots of us innocently post and repost photos, GIFs, video clips and screenshots that we find amusing, informative, scary, and so forth…

…but even if we’re only ever posting photos that we took ourselves, we may occasionally find ourselves asked either to demonstrate our entitlement to use them, or to risk getting shut out of our account:

No one wants to get locked out of their social media account, even temporarily, over an unresolved argument about an image.

As a result, the temptation to click the link on the email is high – especially if you know that the ‘dispute’ is bogus or easily resolved, perhaps because you think you can quickly prove that you took the photos yourself.

Of course, in this case, clicking through immediately puts you in harm’s way:

As in the previous case of Instagram phishing, the crooks are using a free .CF domain name, “left stuffed” with subdomain text that disguises its bogus origins.

Remember that once you have the right to use a domain such as example.com, you also acquire the right to create subdomains such as www.example.com, anytext.youlike.example.com, or even (as in this case) insta­gram.copy­right­infringement­appeal.example.com.

If there isn’t room in your browser’s address bar for the full domain name – and on a mobile device, there almost certainly won’t be – then the browser will show you the believable left-hand end of the domain and hide the important part at the right-hand end.

As you can see see above, the crooks have acquired an HTTPS certificate for their imposter website, so you will see the necessary and expected padlock in your browser.

In Firefox, you can simply click on the padlock to view the certificate, which quickly reveals the deceit:

If you do click through, however – and it’s hard (or effectively impossible) to drill down into the details of a web certificate in a mobile browser – then you hit the phishing attempt proper:

Notice how the crooks have added an age check to the page, apparently in a two-faced effort not only to make it look more realistic (a lot of American web services insist on age confirmations for legal reasons) but also to go after an additional item of personal data, namely your birthday.

(Ironically, in our tests this phishing page only actually uploaded the username and password fields when we clicked [Submit] – the date of birth we put in was ignored.)

If you enter a password, it gets uploaded via a web POST request back to the same .CF site used to serve up the original bogus notification page.

After that, a bogus Loading... page that adds a drop of realism…

…and then crooks present you with a decoy page that makes it look as though something positive has happened:

After all that, you’re calmly and automatically redirected to Instagram’s real login page for a final touch of verisimilitude:

Why Instagram?

You might be surprised to find that crooks are interested in accessing your Instagram account at all, rather than, say, your bank account, your RDP password or your cryptocoin wallet.

But as we pointed out in our previous Instagram phishing article:

Social media passwords are […] valuable to crooks, because the innards of your social media accounts typically give away much more about you than the crooks could find out with regular searches.

Worse still, a crook who’s inside your social media account can use it to trick your friends and family, too, so you’re not just putting yourelf at risk by losing control of the account.

If you receive an outlandish business proposal or a bogus-sounding news report from someone you’ve never heard of, you’re unlikely to give it a second glance.

But a friend who cheerfully recommends a weird and wacky website is much more likely to persuade you to take a look, because… hey, that’s what friends do.

Thus, Instagram phishing.

What to do?

Instagram copyright infringement reports are a real thing, but they don’t unfold in the way the crooks are pretending in this attack.

We recommend that you read Instagram’s official explanation from the company’s own help pages – if you know what the real deal is supposed to look like, then you’ll never fall for a fake warning like this one.

Notably, Instagram says that if it removes content without contacting you first,

you’ll receive a notification from Instagram that includes the name and email address of the rights owner who made the report and/or the details of the report. If you believe the content shouldn’t have been removed, you can follow up with them directly to try to resolve the issue.

Here are five more tips for staying out of trouble:

• Look out for obvious errors. In this attack, the crooks were careless with the email they sent. It contains numerous grammatical and typographic errors, which are a big giveaway. Closer inspection would reveal that the email came from a Turkish hosting company, and that the clickable button in the email itself leads to a bogus .CF domain, not where you might expect in the case of an Instagram page.
• Check your address bar. If a web address is too long to fit cleanly into the address bar of your browser, take the trouble to scroll rightwards in the address text to find the right-hand end. Closer inspection would quickly reveal the bogus domain name here.
• Consider using a password manager. Good password managers associate usernames and passwords with already-known login pages, so your password manager wouldn’t offer to fill in an unexpected password field on an unknown web domain – it simply wouldn’t know what account to use.
• Never login via email links. If you need to login to a site such as Instagram for some official purpose, find your own way there, for example via a bookmark you created earlier, or by using the official mobile app. That way, you’ll avoid putting your real password into the wrong site.
• Learn how your online services really handle disputes or security issues. Don’t get taken in by warnings you receive by email. Find your own way to the real site and use the service’s own help pages to find out how things really work. That way, you’ll be much harder to con.

And a bonus sixth tip if you’re looking after other users…

• Make sure your users are clued up. Phishing emails like the one shown here are easy to fall for because of their elegant simplicity – by copying distinctive pages from well-known brands, the crooks keep your suspicions low. Sophos Phish Threat lets you train and test your users using realistic but safe phishing simulations.