It has been reported that a credential phishing attack targeted 22,000 students at national educational institutions through a campaign where hackers impersonated Instagram.
The advisory was highlighted by security experts at Armorblox in an advisory released on the 17th November 2022.
The advisory says: “The subject of this email encouraged victims to open the message… The goal of this subject was to induce a sense of urgency in the victims, making it seem an action needed to be taken in order to prevent future harm.”
Seemingly, the email appeared to come from Instagram support. The sender’s name appeared as Instagram and the email address matched the social media site’s real credentials.
“This targeted email attack was socially engineered, containing information specific to the recipient – like his or her Instagram user handle – in order to instill a level of trust that this email was a legitimate email communication from Instagram.”
Once users clicked on a link in the email, they were taken to a fake landing page. There was a ‘This Wasn’t Me’ option which, when clicked, directed users to a second faux landing page specifically designed to obtain user credentials, including sensitive information.
The Armorblox advisory added: “The email attack used language as the main attack vector and bypassed native Microsoft email security controls. It passed both SPF and DMARC email authentication checks,” Armorblox explained.
Sami Elhini, biometrics specialist at Cerberus Sentinel, explained: “In this case, an email from instagramsupport.net should be viewed as suspicious as Instagram’s domain is instagram.com. Where a service provides support, it may be advisable to contact support directly if you are unsure what action to take.”
He also added that verifying the origin of an email is a good start, however further scrutiny is required concerning which domain the email originated from.
Erich Kron, security awareness advocate at KnowBe4, added that being comfortable with user interfaces and being able to navigate technologies does not mean individuals fully understand the risks.
“In our modern digital world, it is very important to stay educated on how to spot these sorts of social engineering attacks.”
This comes after warning of increased phishing attacks across the web.