Site icon Sophos News

Instagram copyright infringment scams – don’t get sucked in!

If you create any sort of online content at all – even if you’re just a once-in-a-while blogger or an occasional social media user – you almost certainly know how easy it is for other people to rip off your material and present it as their own.

We’re not talking about links, shares, retweets, and so on, which are legitimate ways for people to re-promote your work.

We’re referring to outright scraping, copying or republishing of your original content by someone else, as though they created the material themselves…

…without ever bothering to ask for permission.

At the same time, you’ll also know how easy it is to end up accused of copyright wrongdoing yourself, even if you’re always careful only to use third-party material in accordance with the original creator’s licensing guidelines.

So, given the frequent argy-bargy that surrounds online copyright issues, many social networks have established formal procedures for making complaints and appealing against takedowns.

Instagram’s procedures, for example, are listed in some detail on its official help page, which explains both how to complain if you think you’ve been ripped off, and how to respond if you’ve been falsely accused.

Enter cybercrime

As you can imagine, cybercriminals have learned how to use copyright infringement notices as bait in phishing scams.

By pretending to be a social network such as Instagram, they try to scare you into thinking that there’s an official copyright complaint against you..

…whilst at the same time giving you a quick and easy way of replying with a counter-claim of your own.

The criminals know that the complaint is totally bogus, and they know that you know it’s bogus.

But instead of leaving you to figure out that it’s bogus because there was no complaint in the first place, they trick you into thinking that the complaint was real, but that the bogus part was the accusation made by the complainer.

To do this, they don’t accuse you themselves, and they don’t threaten to sue; instead, they offer you an easy way to “prove” your “innocence” by providing a link to object to the “complaint”.

While we hope that you’d spot an email scam of this sort right away, we have to admit that some of the copyright phishes we’ve received in recent weeks are much more believable – and better spelled, and more grammatical – than many of the examples we’ve written about before.

Like this one:

Hello, @nakedsecurity

We recently received a complaint about a post on your Instagram. Your post has been reported as infringing copyright.

Your account will be removed if no objection is made to the copyrighted work. If you think this determination is incorrect, please fill out the objection form from the link below.

The [Appeal] button in this example uses a shortened link (this one comes from from bit.ly), but whether you check the destination of the link in advance or click through anyway, the resulting website doesn’t look as bogus as you might expect.

To check a bit.ly link before visiting it, paste the link into your browser’s address bar and add a plus sign (+) at the end, which tells bit.ly to show you the original link without redirecting to it.

Here, the crooks have registered the fake-but-not-too-far-off domain name fb-notify DOT com, and the link you’re given takes you to a personalised scam page that explicitly references your account:

In the screenshot above, the account statistics are correct, or they were at the time we received the email, and the image shown does indeed come from our Instagram page. (Amusingly, and ironically, that means the email itself infringes copyright.)

In other pages linked to by these scammers, the image ripped off by the crooks always seemed to be scraped from the second-to-last post on the victim’s Instagram page. That might have been a coincidence, or it could be a deliberate ploy by the crooks to pick an image recent enough that you’ll remember posting it, but not so recent that the copyright complaint might seem unrealistically quick.

The sting

Anyone who gets this far is almost certainly starting to believe the scam, which would make the next page seem unexceptionable enough, especially given the HTTPS padlock and the sort-of-OK-looking fb-notify domain name:

The website then pretends you made an error typing in your password and tells you to try again, presumably as a simple way for the crooks to discard login attempts where a user clearly just bashed out any old garbage on the keyboard to see what happened next:

Then there’s a believable enough message to tell you that your appeal was submitted successfully:

Finally, the criminals sneakily redirect you to the real Instagram copyright page that we listed above, presumably to add an air of legitimacy that leaves you on a genuine website:

What to do?

Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.


Exit mobile version