The Email Bait … and Phish: Instagram Phishing Attack
Mixing business with pleasure is seen as a negative for a few reasons that many people know well, but there is another important reason you may not be aware of – two words: credential phishing. Take caution when using business credentials to login across multiple apps; especially social apps that cross over into personal use. The convenience is very tempting. However, it only takes one momentary lapse in reason for both sensitive personal and business data to be compromised.
Today, we examine an attack impersonating Instagram, the most prominent photo, video sharing and social networking platform.
The email attack had a social engineered payload, spoofing the design of a legitimate email related to requesting verification of an Instagram membership. In the below, mostly plain text email, we see an email crafted to look like it is coming from Instagram support. The subject line simplistically read “Instagram Support” and the sender address was manipulated to read the same, at first glance.
The email body stated that the recipient had been reported for activity that violated Instagram’s copyright laws. The attacker strategically crafted this email, taking advantage of the end user by creating a sense of urgency to click the link within a time limit of 24 hours. Upon clicking the link, the user was taken to a spoofed Instagram branded ‘account verify’ landing page. The fake page had the Instagram logo and a ‘verify’ button, which when clicked took the end user to an ‘Account Verification Form’. The user was then asked to enter username credentials. All three buttons do not look to be malicious to the common end user, and every touch point, from the email to the account verification form include Meta and Instagram branding and logos; with the goal to create a sense of trust in the end user.
Target: A prominent, life insurance company headquartered in New York with presence across the US
Email security bypassed: Google email security
Techniques used: Social engineering, brand impersonation
The Email Bait …
The socially engineered email targeted employees at a life insurance company across the US, under the guise of Instagram Support. The email impersonated the well-known brand in an attempt to steal login credentials. End users who received this email were faced with a subject line that read “Instagram Support” and a sender email that suggested the same.
The email claimed the associated Instagram account had been reported for violating copyright laws. Further sense of urgency was created for the end user to click the link when the recipient read “If you can’t verify within 24 hours your membership will be permanently deleted…”. Towards the bottom of the email a link with the call-to-action for the end user to verify the account as well as the Meta logo were strategically placed by the attacker in order to create a sense of urgency while instilling trust in the sender.
… And Phish
Upon clicking the malicious link within the email body, the user was navigated to a malicious landing page. A deeper investigation was required as to not be fooled by the blatant Instagram branding and logo.
“Fool me twice, shame on me” comes into play if the ‘verify’ button was clicked. The end user was redirected to a second spoofed landing page. Brand impersonation on this second landing page was spot on, from the colors, to the font, to the inclusion of Instagram and Meta logos. This ‘Account Verification Form’ landing page required the user to enter account credentials. To accelerate the entry of sensitive data, the attacker further leaned into creating a sense of urgency; again claiming, “your account will be removed within 24 hours.”
The email was sent from a legitimate outlook domain and the attacker used multiple techniques in order to bypass Google email security.
In this example, attackers aimed to create a sense of urgency within end users around the possibility of an Instagram account being deleted. Language around ‘violating policy’ and ‘within 24 hours’ were used to manipulate the end user to take action and engage with the malicious URL. The language also created a sense of longing in the end user to understand the reason behind this email and why the account had been reported. Both the subject line and the email are scripted in plain text, as to not raise suspicion. Even the sender email domain was spoofed to look equivalent to ‘Instagram Support’, where at a quick glance the end user may not see that the ‘I’, in Instagram, was indeed an ‘L’. The flow of this credential phishing attack was carefully crafted. Each further engagement with the end user aimed to instill more trust through logo inclusions and similar branding. This socially engineered attack impersonated a well-known brand, designed to create a sense of urgency in the end user around a commonly used and needed application in order to complete daily tasks.
Recap of Techniques Used
This email attack employed multiple techniques in order to steal sensitive information and pass the eye test of unsuspecting victims.
Social engineering: The email title, sender name and content aimed to induce trust and urgency within the victims. Trust because the email claimed to come from a legitimate company and an urge to take action because it requested action from the victim in order to prevent an unwanted result.
Brand impersonation: The email spoofed the company, Meta Instagram, a commonly used social networking platform for personal and work. The email contained information about a reported account due to content that violated a policy. The message was consistent across emails and spoofed landing pages - review / confirmation of the account was needed within 24 hours; otherwise, the account would be permanently deleted.
Valid domain names: The email was sent from an outlook account, originating from Turkey, a valid domain. Traditional security training encourages looking at email domains before responding for any clear signs of fraud. However, in this case a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain’s validity. Additionally, the sender crafted a long email address, meaning that many mobile users would only see the characters before the ‘@’ sign, which in this case is ‘membershipform’ – one that would not raise suspicion.
Guidance and Recommendations
1. Do not open emails that you are not expecting
When you receive an email that you are not expecting, take caution before opening. Just because someone, or in this case some business, is asking for confirmation does not mean that you should engage.
2. Augment native email security to stop socially engineered attacks
For better protection against email attacks (whether they’re spear phishing, business email compromise or credential phishing attacks like this one), organizations should augment built-in email security with layers, like Armorblox, that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 and is a good starting point for evaluation.
3. Do not use the same passwords for personal and business apps
Keep the credentials (user ID and password) different for your personal apps and business apps. Using the same passwords increases the risk for exposure. Attackers are very sophisticated in decoding the user id and password combinations once there is a breach in either your personal or professional accounts.
4. Watch out for targeted attacks
Since we receive an abundance of emails from service providers, our brains have been trained to quickly execute on the requested actions. Instead of clicking on a link, pause and ask these five questions:
- Is the look or tone of the email different from what you are used to?
- Are there spelling or grammatical errors?
- Is the body of the email generic than it should be?
- Is it asking for your personal information or login credentials?
- Are you expecting the email?
4. Follow multi-factor authentication and password management best practices
Deploy multi-factor authentication (MFA) on business and personal accounts where possible and don’t use the same password on multiple sites/accounts. Use a password management software like LastPass or 1Password to store your account passwords and avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.) or generic passwords such as ‘password123’ or ‘YourName123’.