dark reading threat intel and cybersecurity news

Threat actors are targeting Instagram users in a new phishing campaign that uses URL redirection to take over accounts, or steal sensitive information that can be used in future attacks or be sold on the Dark Web.

As a lure, the campaign uses a suggestion that users may be committing copyright infringement — a great concern among social media influencers, businesses, and even the average account holder on Instagram, researchers from Trustwave SpiderLabs revealed in an analysis shared with Dark Reading on Oct. 27.

This type of “infringement phishing” was also seen earlier this year, in a separate campaign targeting users of Facebook — a brand also under Instagram parent company Meta — with emails suggesting users had violated community standards, the researchers said.

“This theme is not new, and we have seen it from time to time over the last year,” Homer Pacag, Trustwave SpiderLabs security researcher, wrote in the post. “It’s the same copyright infringement trickery again, but this time, the attackers gain more personal information from their victims and use evasion techniques to hide phishing URLs.”

That evasion comes in the form of URL redirection, an emerging tactic among threat actors who are evolving their phishing techniques to be sneakier and more evasive as internet users get more savvy.

Instead of attaching a malicious file that a user must click on to reach a phishing page — something that many people already know seems suspicious — URL redirection includes in a message an embedded URL that appears legitimate but which ultimately leads to a malicious page that steals credentials instead.

Bogus Copyright Report

The Instagram campaign that researchers discovered begins with an email to a user notifying him or her that complaints were received about the account infringing upon copyright, and that an appeal to Instagram is necessary if the user doesn’t want to lose the account.

Anyone can file a copyright report with Instagram if the account owner discovers that their photos and videos are being used by other Instagram users — something that happens often on the social media platform. Attackers in the campaign are taking advantage of this to try to trick victims into giving away their user credentials and personal information, Pacag wrote.

The phishing emails include a button with a link to an “appeals form,” informing users they can click the link to fill out the form and later will be contacted by an Instagram representative.

Researchers analyzed the email in a text editor and found that, rather than directing users to the Instagram site to fill out a legitimate report, it employs URL redirection. Specifically, the link uses a URL rewrite or redirector to a site owned by WhatsApp — hxxps://l[.]wl[.]co/l?u= — followed by the true phishing URL — hxxps://helperlivesback[.]ml/5372823 — found in the query part of the URL, Pacag explained.

“This is an increasingly common phishing trick, using legitimate domains to redirect to other URLs in this fashion,” he wrote.

If a user clicks on the button, it opens his or her default browser and redirects the user to the intended phishing page, going through a few steps ultimately to steal user and password data if the victim follows through, the researchers said.

Step-by-Step Data Harvesting

First, if the victim enters his or her username, the data is sent to the server via the form “POST” parameters, the researchers said. A user is prompted to click a “Continue” button, and if this is done, the page displays the typed username, now prefixed with the typical “@” symbol used to signify an Instagram username. Then the page asks for a password, which, if entered, also is sent to the attacker-controlled server, the researchers said.

It’s at this point in the attack where things deviate slightly from a typical phishing page, which is usually satisfied once a person enters their username and password into the appropriate fields, Pacag said.

The attackers in the Instagram campaign don’t stop at this step; instead, they ask the user to type in his or her password once more and then fill in a question field asking in which city the person lives. This data, like the rest, also is sent back to the server via “POST,” Pacag explained.

The last step prompts the user to fill in his or her telephone number, which presumably attackers can use to get past two-factor authentication (2FA) if it’s enabled on an Instagram account, the researchers said. Attackers also can sell this info on the Dark Web, in which case it can be used for future scams that initiate via telephone calls, they noted.

Once all of this personal info is harvested by attackers, the victim is finally redirected to Instagram’s actual help page and the beginning of the authentic copyright reporting process used to initiate the scam.

Detecting Novel Phishing Tactics

With URL redirection and other more evasive tactics being taken by threat actors in phishing campaigns, it’s getting harder to detect — for both email security solutions and users alike — which emails are legitimate and which are the product of malicious intent, the researchers said.

“It can be difficult for most URL detection systems to identify this deceptive practice, as the intended phishing URLs are embedded mostly in the URL query parameters,” Pacag said.

Until technology catches up with the constantly changing tactics of phishers, email users themselves — especially in a corporate setting — need to maintain a higher degree of alert when it comes to messages that appear suspicious in any way to avoid being fooled, the researchers said.

Ways users can do this are by checking that URLs included in messages match the legitimate ones of the company or service that claims to be sending them; only clicking on links in emails that come from trusted users with whom people have communicated with previously; and checking with IT support before clicking on any embedded or attached link in an email.