Products > Security

Strange Instagram link... Feels like Phishing

(1/1)

edy:
I've been trying to figure out what's going on with this message and link I received from Instagram. It looks like this:

This took me 3 hours to make. I hope you like it, Look https://toyou174.xyz/g/?&ure=MYUSERNAME

(Where MYUSERNAME is my Instagram account name (I redacted it for this post)

That redirects me to...

https://instagram.com-verify-1489788456268679154344343179665471433.us/?ure=MYUSERNAME

(Again, I've replaced my username with MYUSERNAME)

I cannot figure out but suspect this is a phishing attack. However when I break up the URL and try to go there directly it brings me to what looks like Instagram official page. I wonder if that site (with the .us domain) redirects you to the normal Instagram page if the URL is not formatted exactly as formed. For example, browsing only to the URL below takes me to Instagram:

http://com-verify-1489788456268679154344343179665471433.us

Does anyone have any idea if this is some official Instagram way of doing things or the next level of phishing scam, because it smells an aweful lot like it.

edy:
I did a who.is lookup on the root domain and found this:

https://who.is/whois/com-verify-1489788456268679154344343179665471433.us


--- Quote ---
Registrant Contact Information:
Name
Michael Brown
Organization
N/A
Address
Nikolskaya St 87
City
Moscow
State / Province
Moscow
Postal Code
109012
Country
RU
Phone
+7.9636301018
Email


Administrative Contact Information:
Name
Michael Brown
Organization
N/A
Address
Nikolskaya St 87
City
Moscow
State / Province
Moscow
Postal Code
109012
Country
RU
Phone
+7.9636301018
Email


Technical Contact Information:
Name
Michael Brown
Organization
N/A
Address
Nikolskaya St 87
City
Moscow
State / Province
Moscow
Postal Code
109012
Country
RU
Phone
+7.9636301018
Email


Information Updated: 2021-07-21 14:28:01

--- End quote ---



(I'm surprised the information is not private, but I suspect it's fake or misleading)

... And this .....

https://who.is/whois/toyou174.xyz



--- Quote ---
Registrant Contact Information:
Name
Withheld for Privacy Purposes
Organization
Privacy service provided by Withheld for Privacy ehf
Address
Kalkofnsvegur 2
City
Reykjavik
State / Province
Capital Region
Postal Code
101
Country
IS
Phone
+354.4212434
Email


Administrative Contact Information:
Name
Withheld for Privacy Purposes
Organization
Privacy service provided by Withheld for Privacy ehf
Address
Kalkofnsvegur 2
City
Reykjavik
State / Province
Capital Region
Postal Code
101
Country
IS
Phone
+354.4212434
Email


Technical Contact Information:
Name
Withheld for Privacy Purposes
Organization
Privacy service provided by Withheld for Privacy ehf
Address
Kalkofnsvegur 2
City
Reykjavik
State / Province
Capital Region
Postal Code
101
Country
IS
Phone
+354.4212434
Email


Information Updated: 2021-07-21 16:10:02

--- End quote ---


It looks like they are popping up these domains faster than anyone can keep up and then trying to phish unsuspecting folks, not sure how they can leverage it for money or if it's used as leverage for more specific monetizable attacks.

UART.io:
Definitely phishing. That domain structure is pretty common and used to confuse people - It looks like instagram.com with the rest of the URL behind it, but the real domain is "com-verify-1489788456268679154344343179665471433.us" as you figured out. But, to most people, they just see the "instagram.com" portion and tune out on the gibberish afterwards.

Like you said, they stand these domains up quickly and send out phishing e-mails. The goal is typically credential capture - people "log in" and the attackers record the username/password, and then the victim is redirected to the official Instagram domain.

Bud:
It is a phony contact address. There is no building number 87 on Nykolskaya St in Moscow according to Google maps.

Edit: and a quick search on "Kalkofnsvegur 2 City Reykjavik" produces a bunch of results about scammers registered at that general office rental building.

NiHaoMike:
Time for a white hat to write a script that feeds that site junk data.

Navigation

[0] Message Index