A credential phishing attack campaign impersonating Instagram reportedly targeted thousands students at national educational institutions
The email seemed to have come from Instagram support, with the sender’s name, Instagram, and email address matching Instagram’s real credentials.
This targeted email attack was socially engineered, containing information specific to the recipient like his or her Instagram user handle in order to instill a level of trust that this email was a legitimate email communication from Instagram.
Once users clicked on a link in the email, a fake landing page opened, which included Instagram branding and details around the unusual login attempt detected, alongside a ‘This Wasn’t Me’ button. Upon clicking on the button, victims were directed to a second fake landing page designed to exfiltrate sensitive user credentials.
The email attack used language as the main attack vector and bypassed native Microsoft email security controls. It passed both SPF and DMARC email authentication checks.
Email from instagramsupport.net should be viewed as suspicious as Instagram’s domain is instagram.com.
The advisory comes from security firm Armorblox