Site icon Sophos News

Instagram scammers as busy as ever: passwords and 2FA codes at risk

We monitor a range of email addresses related to Naked Security, so we receieve a regular (a word we are using here to mean “unrelenting”) supply of real-world spams and scams.

Some of our email addresses are obviously directly associated with various Sophos-related social media accounts; others are more general business-oriented addresses; and some are just regular, consumer-style emails.

As a result, we like to think that our personal scam supply is a reliably representative sample of what the crooks are up to…

…and, as you’ve probably noticed yourself, even though we see all the “old favourites” pretty much all the time, we often see bursts of one specific scam topping our personal prevalence charts.

At one point, sextortion scams were in the #1 spot (that odious sort of message turned into a real deluge in 2019 and 2020).

https://nakedsecurity.sophos.com/2020/04/22/porn-scammers-making-100000-a-month-from-sextortion-emails/

Then home delivery and parcel scams went wild for a while; then we had a flurry of Docusign ripoffs.

https://nakedsecurity.sophos.com/2021/07/14/home-delivery-scams-get-smarter-dont-get-caught-out/

Right now, however, our scam feed is awash with a variety of frauds targeting Instagram, Instagram, and Instagram.

Instagram scams of many sorts

In the past few days, we’ve had a bogus Instagram warnings, complete with Instagram branding, in each of these categories:

Although most of the examples we’ve receivedwere old-style username-and-password phishes, one went on to request our 2FA code as well.

Even though 2FA codes are typically only valid for a few minutes, cybercriminals no longer simply collect phishing data to use later.

Many cybergangs use manual or automatic techniques that alert them as soon as victims visit their phishing sites, allowing the crooks to react in real time.

If they can trick you into handing over a 2FA code as well as your password, they will try that password-and-2FA code combination immediately, knowing that, if they’re quick enough, they’re likely to get their attempt in before the 2FA code expires.

While this is not exactly exciting or unexpected news, it’s a reminder that these scams are almost certainly still delivering results for the cybercriminals – potentially giving them instant access to established, trusted social media accounts in moments.

And although these scams usually aren’t too hard to spot…

…the crooks are getting better and better at making them easier to miss.

It’s easy to miss the warning signs and fall into the trap if you’re in a hurry, or if you’re distracted by other events (and who isn’t ATM?), or if you’re a delighful, trusting person who thinks, “Oh, there’s obviously been some mistake. Surely just the matter of a moment to sort it out, thanks to the handy and official-looking form provided.”

What to look for

Here’s what the fake warnings we’ve received have looked like; if you have friends or family whom you think might be tricked by this sort of message, please share this article with them so they know that they’re one of millions people receiving the same fraudulent messages.

It’s often easier to convince people near and dear to you if it’s someone else behind the advice you’re offering – if nothing else, it sounds less “preachy” or judgmental if someone they don’t know is saying it.

And, sometimes, pictures are worth 1000 words, so here’s what they looked like.

1. Fake “Suspicious login alert” sample:

2. Fake “Community guidelines violation” sample:

3. Fake “Copyright infringement” sample:

What happens if you click through?

Here’s an example of the sort of follow-up pages that you’d see if you clicked through – this is the “suspicious login” sequence:

And here’s the fake “copyright appeal” – take note of the website name in these images, where what is looks like an upper-case I (eye) is actually a lower-case L (ell):

Finally, here’s the fake “community violation”, complete with a phishing page that tries to grab your 2FA code (or one of your backup codes if you don’t have your phone handy) for the crooks to try to break into your account right away, in real time:

What to do?

Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.


Exit mobile version