Cyberattackers have targeted students at national educational institutions in the US with a sophisticated phishing campaign that impersonated Instagram. The unusual aspect of the gambit is that they used a valid domain in an effort to steal credentials, bypassing both Microsoft 365 and Exchange email protections in the process.
The socially engineered attack, which has targeted nearly 22,000 mailboxes, used the personalized handles of Instagram users in messages informing would-be victims that there was an "unusual login" on their account, according to a blog post published on Nov. 17 by Armorblox Research Team.
The login lure is nothing new for phishers. But attackers also sent the messages from a valid email domain, making it much harder for both users and email-scanning technology to flag messages as fraudulent, the researchers said.
"Traditional security training advises looking at email domains before responding for any clear signs of fraud," they explained in the post. "However, in this case, a quick scan of the domain address would not have alerted the end user of fraudulent activity because of the domain's validity."
As phishing has been around so long, attackers know that most people who use email are on to them and thus familiar with how to spot fraudulent messages. This has forced threat actors to get more creative in their tactics to try to fool users into thinking phishing emails are legitimate.
Moreover, those of university age who use Instagram would likely be among the savviest of internet users, having grown up using the technology — which may be why attackers in this campaign in particular were so careful to appear authentic.
Whatever the reason, the campaign's combination of spoofing, brand impersonation, and a legitimate domain allowed attackers to send messages that successfully passed through not only Office 365 and Exchange protections, but also DKIM, DMARC, and SPF alignment email authentication checks, the researchers said.
"Upon further analysis from the Armorblox Research Team, the sender domain received a reputable score of "trustworthy" and no infections in the past 12 months of the domain's 41 months of existence," they wrote in the post.
"Unusual Login" Lure
Researchers at Armorblox said the attacks started with an email with the subject line "We Noticed an Unusual Login, [user handle]," using a common tactic to instill a sense a urgency in the recipient to get them to read the email and take action.
The body of the email impersonated the Instagram brand, and appeared to be come from the social media platform's support team, with the sender's name, Instagram profile, and email address — which was the perfectly palatable "[email protected]" — all appearing legitimate, they said.
The message let the user know that an unrecognized device from a specific location and machine with a specific operating system — in the case of an example shared by Amorblox, Budapest and Windows, respectively — had logged in to their account.
"This targeted email attack was socially engineered, containing information specific to the recipient — like his or her Instagram user handle — in order to instill a level of trust that this email was a legitimate email communication from Instagram," the researchers wrote.
Attackers aimed for recipients to click on a link asking them to "secure" their login details included at the bottom of the email, which lead to a fake landing page that threat actors created to exfiltrate user credentials. If someone got that far, the landing page to which the link redirects, like the email, also mimicked a legitimate Instagram page, the researchers said.
"The information within this fake landing page provides the victims a level of detail to both corroborate the details within the email and also increase the sense of urgency to take action and click the call-to-action button, 'This Wasn’t Me,'" the researchers said.
If users take the bait and click to "verify" their accounts, they're directed to a second fake landing page that also impersonates Instagram credibly and are prompted to change account credentials on the premise that someone may already have stolen them.
Ironically, of course, it's the actual page itself that will be doing the stealing if the user logs in with new credentials, the researchers said.
Avoiding Compromise and Credential Theft
As threat actors get more sophisticated in how they craft phishing emails, so, too, must enterprises and their users in terms of detecting them.
Since the Instagram phishing campaign managed to bypass native email protections, researchers suggested that organizations should augment built-in email security with layers that take a materially different approach to threat detection. To help them find a solution, they can use trusted research from firms such as Gartner and others on which options are the best for their particular business.
Employees also should be advised or even trained to watch out for social engineering cues that are becoming more common in phishing campaigns rather than quickly execute the requested actions received in email messages, which our brains have been trained to do, the researchers said.
"Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email," they wrote.
Additionally, the researchers said, employing multifactor authentication and password-management best practices across both personal and business accounts can help avoid account compromise if an attacker does get ahold of a user's credentials through phishing.