Cybercriminals are always looking for new ways to infiltrate your devices. Recently, they’ve been using the attack vector of Copyright Infringement as bait in Phishing Emails. Pretending to be from Instagram, they try and scare users into believing they have a copyright complaint against them and give the users an easy way to appeal the complaint.
The Phishing Scam
The hackers use a rather different approach in this attack by convincing you that another user’s complaint is potentially inaccurate and giving you an easy ‘out’ of the situation by appealing the copyright complaint. NakedSecurity posted screenshots of the attack, shown below:
The ‘Appeal’ button in this instance uses a shortened link (bit.ly), but whether you check the destination of the link in advance or click through anyway, the resulting website doesn’t look as ‘phishy’ as you might expect. To check a bit.ly link before visiting it, paste the link into your browser’s address bar and add a plus sign (+) at the end, which tells bit.ly to show you the original link without redirecting you to it.
In this scam, the hackers registered a domain name ‘fb-notify.com’, and the link you’re given takes you to a personalized scam page that explicitly references your Instagram account in question:
If you click ‘Go to Appeal Form’, it brings you to a convincing (but fake) Instagram login page, asking you to enter your credentials to confirm your appeal. Once entered and submitted, the attack sneakily sends you to Facebook/Instagram’s real copyright information page to further convince you that the complaint is legitimate.
The hackers in this attack do a good job of making sure you are comfortable appealing the copyright complaint, with a convincing link and an actual image from your Instagram account. It’s vital that you do your due diligence when receiving messages like these to make sure it’s legitimate.
What Should You Do?
- Don’t click “helpful” links in emails. Learn in advance how to handle Instagram copyright complaints, so you know the procedure before you need to follow it. Do the same for the other social networks and content delivery sites you use. Don’t wait until after a complaint arrives to find out the right way to respond. If you already know the right URL to use, you never need to rely on any link in any email, whether that email is real or fake.
- Think before you click. Although the website name in this scam is somewhat believable, it’s clearly not
instagram.com
orfacebook.com
, which is what you would expect. We hope you wouldn’t click through in the first place (see point 1), but if you do visit the site by mistake, don’t be in a hurry to go further. A few seconds to stop and double-check the site details would be time well spent. - Use a password manager and 2FA whenever you can. Password managers prevent you from putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before (fb-notify.com). Two-Factor Authentication (2FA) makes things harder for the hackers because your password alone is no longer enough to give them access to your account.
Additional Cybersecurity Recommendations
Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.
- Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
- Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
- Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
- Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
- In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
- If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
- Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.
All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.