Many people have been warned over a new trick hackers are using to steal Instagram passwords.
Although social media giants have been taking several steps to safeguard the platform from scams, those responsible for these scams are also finding new ways to target the victims.
Instagram, a popular photo-sharing service owned by Facebook is one of the platforms where a scam has been making rounds and Sophos, a computer security firm has warned users against it. It says that hackers are this time spreading a scam that falsely tells users that they are violating the Instagram copyright laws.
So if you are an active Instagram user or have a verified profile, you don’t want to see a copyright infringement email or a message coming from Instagram that may permanently or temporarily deactivate your account. This indeed tempts the users to click on the click in the mail, which leads to them becoming a part of the scam.
In the screenshot shared by the website, it is seen that the false message of copyright infringement comes with an ‘Instagram’ logo on top followed by a text message saying ‘We’ve detected contents in your account that will violate copyright laws. Your account will be deactivated within 48 hours unless you provide feedback. As Instagram, we respect copyrights and take care to protect copyrights.’
This message is followed by a button that says ‘Appeal’.
To make it look more legit, the message in the browser shows the URL starting with https://instagram.copyrightinfringementappeal… However, as explained by Sophos, if you get the right to use a domain such as example.com, you can also create subdomains such as www.example.com, anytext.youlike.example.com or even instagram.copyrightinfringementappeal.example.com.
And since the URL is so long, it doesn’t show the full link on the address bar of the phone. Because the user just sees nothing more than “https://instagram.copyrightinfringement…” he/she believes it to be a legit message from Instagram.
Once you click, the next web page asks to give your username, birth date and the password to make sure it’s you. In reality, these boxes will give hackers the information as you feed it. Once you feed the information, the page shows a ‘bogus’ web page showing the loading animation followed by a green tick with a message ‘Your copyright objection notice has been submitted. You will be contacted by email after 24 hours.’ After this, the users will be navigated to the real Instagram login page.
What happens when Instagram removes the content in real?
In this case, users get a notification from Instagram featuring the name and the email address of the person who reported the post. If users think the content shouldn’t be removed, they can follow up with them to resolve the issue.
One can tap on the URL and see the entire link to check if its a legit link or not. Users can also check the email sender’s address before clicking the link.