Cybercriminals have learned how to use copyright infringement notices as bait in phishing scams. This time, Sophos observed threat actors targeting Instagram users.
Have you ever posted a photo on Instagram that wasn’t yours, maybe to get a bit more followers? If so, a message like this one below might scare you into taking action.
“We recently received a complaint about a post on your Instagram. Your post has been reported as infringing copyright. Your account will be removed if no objection is made to the copyrighted work. If you think this determination is incorrect, please fill out the objection form from the link below,” a malicious Instagram message reads.
To make things “easier” for you, scammers provide you with an “appeal” link leading to the fb.notify.com website, which is controlled by cybercriminals. The website includes your account statistics, which are, by the way, correct, and the image from your Instagram account.
“Amusingly, and ironically, that means the email itself infringes copyright,” cybersecurity company Sophos noted in a blog post.
You are asked to log in to your account in the next step. The website then pretends you made an error typing in your password and tells you to try again, presumably as a simple way for the crooks to discard login attempts where a user clearly just typed random letters on the keyboard to see what happened next.
After successfully typing your password, you get a notification that your appeal was submitted successfully. Finally, the criminals sneakily redirect you to the actual Instagram copyright page, presumably to add an air of legitimacy that leaves you on a genuine website.
“Social media credentials are worth more than you might think. First, the crooks get control of an account without having to set a new one up (which takes a lot longer than it used to, especially compared to sending out zillions of similar emails and waiting to see what happens). Second, it gives them direct and believable access to promote dodgy investments and so on to your friends and family,” Paul Ducklin, Senior Technologist at Sophos, explained in a written commentary.
The scam isn’t new, and many celebrities have fallen for it. But cybercriminals continue exploiting infringement notices, meaning it’s still thriving.
Here are some things for you to take into consideration:
1. Don’t click on “helpful” links in emails. Learn in advance how to handle Instagram copyright complaints, so you know the procedure before you need to follow it.
2. Think before you click. Although the website name in this scam is somewhat believable, it’s clearly not instagram.com or facebook.com, which is almost certainly what you would expect.
3. Use a password manager and 2FA whenever you can. Password managers help prevent you from putting the correct password into the wrong site because they can’t suggest a password for a site they’ve never seen before. And 2FA (those one-time codes you use together with a password) make things harder for the crooks because your password alone is no longer enough to give them access to your account.
4. Talk to a friend you know face-to-face who’s done it before. If you are active on social media or in the blogosphere, you might as well prepare in case you ever get a real copyright infringement notice.