Researchers discovered a phishing campaign that exploited the appearance of Instagram technical help to acquire login credentials from workers of a prominent New York-based life insurance firm. As shown in a report released on Wednesday by Armorblox, the attack combined brand impersonation with social engineering and managed to get over Google’s email protection by exploiting a real domain name, finally reaching hundreds of employees’ mailboxes.
It all started with a simple email. It was disguised as an alert from Instagram’s technical support team, informing the receiver that their account was about to be deactivated. According to the report, the objective was to “create a sense of urgency while instilling trust in the sender.”
“You have been reported for sharing fake content in your membership,” as per the email’s body. “You must verify your membership. If you can’t verify within 24 hours your membership will be permanently deleted from our servers.” This message created a sense of urgency to persuade the unwary to click on a fraudulent “account verify” link. Targets that did so were sent to a landing page requesting to check in to their Instagram accounts. Of course, the hostile actor would receive the information without the target’s knowledge.
The researchers stated that none of these steps “look to be malicious to the common end user, and every touch point, from the email to the account verification form, include Meta and Instagram branding and logos.”
The attackers left plenty of clues along the way. In the body of the phishing email, they committed mistakes with language, spelling, and capitalization. The “I” in “Instagram Support” was indeed an “L” in the sender box. The email domain – firstname.lastname@example.org – was also plainly not created by Instagram. Despite this, the domain was fully valid, circumventing typical spam filters. The researchers clarified, “the sender crafted a long email address, meaning that many mobile users would only see the characters before the ‘@’ sign, which in this case is ‘membershipform’ – one that would not raise suspicion.”
Cybercriminals impersonated the DocuSign e-signature software just a few weeks ago to acquire Microsoft account credentials from a U.S. payment solutions firm. Hundreds of workers were also exposed in that case due to accurate brand imitation, devious social engineering, and a legitimate email domain that circumvented typical security safeguards. These two efforts may have been recognized and halted, but what about the next? Or what about the one after that? Or other initiatives that have gone unnoticed because a security team did not detect them?
According to Armorblox’s analysis, employees may focus on four primary areas to defend themselves from phishing:
- Avoid opening emails you do not expect to receive.
- Stop socially engineered attacks by enhancing native email security.
- Be on the lookout for targeted cyberattacks.
- Follow standard practices for multi-factor authentication and password management.