This is a public service announcement for all users to be aware of an active scam happening right now that is targeting instagram users.
This is a nasty, but effective, social phishing campaign that takes advantage of a relationship you have online.
It starts with a simple request. Who doesn't want to help a friend grow their online presence?
They follow it up with very brief instructions:
What I got was an SMS text message with a link. This caught me offguard. Why was this going to my text message? Although we were friends on instagram, we have been disconnected long enough that there was no way they had my number.
And why did they need a screenshot of the text message?
Understanding the Instagram Hack Campaign
Naturally we had to understand what was happening. At first we were concerned that the link we received via text would somehow track and verify we had indeed received the text. So we turned to our friend CURL:
$ curl --location -D - https://ig.me/[redacted] HTTP/2 301 location: instagram://smslogin/?uid=[redacted]& token=[redacted]&utm_medium=sms& utm_campaign=smslogin&utm_source=instagram &ndid=[redacted] document-policy: force-load-at-top cross-origin-resource-policy: rollout pragma: no-cache cache-control: private, no-cache, no-store, must-revalidate expires: Sat, 01 Jan 2000 00:00:00 GMT x-content-type-options: nosniff x-xss-protection: 0 x-frame-options: DENY strict-transport-security: max-age=31536000; preload; includeSubDomains content-type: text/html; charset="utf-8" x-fb-debug: [redcated} content-length: 0 date: Thu, 28 Jul 2022 19:11:06 GMT priority: u=3,i x-fb-trip-id: 1679558926 curl: (1) Unsupported protocol
That's weird, what is this instagram://smslogin protocol? Not much online about it, but it got us thinking.
How did they get our phone number? What was this link doing? Then the scammer helped us out.
So it's coming from Instagram. But how? Only thing we could think it has something to do with authentication. Maybe, a password reset? Let's try it!
WINNER WINNER CHICKEN DINNER!!!
This is why they need a screenshot, they type the URL exactly as shown and when they do, this is what they get:
Yup, that's it. Within minutes the bad actor is able to hijack your account using the Instagram password reset option all under the guise of helping a friend grow their social influencer program.
How to Prevent the Instagram Hack
If you talk to Instagram, they will say that enabling Two Factor Authentication is the way to prevent this hack, but we're here to say that it only partially helps.
We tested this and it didn't prevent the bad actor from changing the password, but it did prevent them from logging in after the change. We definitely recommend using 2FA, but know that it can still create problems.
The biggest thing you can do is be suspicious of any links. If you get an inquiry on one platform, but a notice via another that should be a red flag. Especially if it's from a friend that you know online, but aren't close enough to be on other platforms.
This isn't something a filter will help you with, unless you're blocking social platforms, but we felt it was pertinent enough to share with individuals across all industries as it can effect parents, kids, and other public and private organizations.