Instagram “Help Center” Phishing Attack

Cyber Security Researchers warn against professional phishing attacks targeting Instagram users aimed at stealing user information via direct messages.

Cyber Security Researchers stated that “Attackers are sending legitimate messages that appear to come from Instagram to steal users password and email information.”

The researchers said the campaign targets hundreds of famous people, business owners who start new companies, and other organisations and individuals who have big followers on Instagram. This professional attack first came on the radar of researchers after targeting a police officer with more than 16,000 followers on Instagram.

In previous phishing attacks, attackers sent phishing emails to target people via email, now attackers send phishing messages via the Instagram platform instead of email. The attackers pretend to be the Instagram Help Center and claim that a copyright infringement complaint has been filed against the account owner and their account is now at risk of being deleted.

Details of this Instagram “Help Center” Phishing Attack

In previous phishing attacks, attackers sent phishing emails to target people via email, now attackers send phishing messages via the Instagram platform instead of email. The attackers pretend to be the Instagram Help Center and claim that a copyright infringement complaint has been filed against the account owner and their account is now at risk of being deleted.

When the victim enters the site in the message, he sees the Instagram page that looks exactly real and clicks the Next button after entering his Instagram Username information.

Then the real-looking Instagram login page requests the user to enter their Instagram email address and password. If the user enters his information and then clicks the Continue button, all the information he entered is delivered to the hands of the attacker.

If the user has previously logged in to Instagram and clicked the Continue button, the user directed to the real Instagram website, and since the user has already logged in, it makes this scenario to be more real, user confused at this point and the user thinks like, it was all normal and not a phishing attack.

“Some victims may be famous enough to be blackmailed with information found on Google against them,” journalist Karasek told Threatpost. Then, “Most of the victims use the same password and email addresses on all social media platforms, so the attacker can access the victim’s accounts on other social media platforms after capturing the Instagram password and email address after a successful phishing attack. It will cause massive data leakage and blackmail for the users.” added his word.

After the attackers capture the user’s Instagram credentials, they log into the account, then disconnect the mobile phone number linked to the user’s Instagram account and change the email linked to the account.

Cybersecurity Researchers advise Instagram users to be wary of seemingly legitimate sites that ask for account credentials. The user also always has to check if the
URL (instagram.com) is correct before input credentials to the website.

Also, users should “investigate typos in the content of every incoming message” and “never open links or download attachments (files) from suspicious-looking sources.” The researchers warned, “Mouse over the URL in the message to check if it shows a different address than the expected website and checks the URL.”

How to Stop the Instagram “Help Center” Phishing Attack?

Phishing Attacks include stealing personal information, ransomware, online passwords, banking details, or money. Oftentimes the attacker uses an email, sms, phone call, or even a fake website that looks like it comes from a reputable company in order to attack the user and capture the user’s information.

By constantly training the employees with the best cybersecurity training, you will reduce the risks of attacks such as phishing attacks and malicious software that will come over email, information leak, and you will protect your organisation by training employees. By teaching your employees how to understand suspicious emails and fake web pages, you increase your employees’ cybersecurity awareness against phishing attacks.

Information Security Awareness Training

By using Beacon Defence’s security awareness training, you can provide HTML5 Security Training and Animation Training Videos, Posters, Screensavers, Cyber Security Newsletters, Phishing Security Tips, Ninjio Animation Training Videos, gamified security awareness training to your employees with rich training materials for your employees. By using these training materials, you can increase the cybersecurity awareness of your employees and get automatic reports.

Phishing Simulation

Beacon’s Phishing Simulation service offers more than 750+ phishing campaigns.

You can customise phishing emails and phishing URLs for your organisation and then after you send the phishing campaigns to your employees, you can measure your employee’s awareness of a phishing email.

Make your users aware of what phishing emails look like and what they should check on fake email and websites.

You can review the results of the phishing campaign in the report which is auto-generated and watch real-time statistics such as how many people opened the phishing email, clicked the link, and the people who lost their information.

Protect yourself against Instagram “Help Center” Phishing Attack using Beacon’s anti-phishing solutions.