Author Topic: Strange Instagram link... Feels like Phishing  (Read 1232 times)

0 Members and 1 Guest are viewing this topic.

Offline edy

  • Super Contributor
  • ***
  • Posts: 2296
  • Country: ca
    • DevHackMod Channel
Strange Instagram link... Feels like Phishing
« on: July 21, 2021, 12:25:03 pm »
I've been trying to figure out what's going on with this message and link I received from Instagram. It looks like this:

This took me 3 hours to make. I hope you like it, Look https://toyou174.xyz/g/?&ure=MYUSERNAME

(Where MYUSERNAME is my Instagram account name (I redacted it for this post)

That redirects me to...

https://instagram.com-verify-1489788456268679154344343179665471433.us/?ure=MYUSERNAME

(Again, I've replaced my username with MYUSERNAME)

I cannot figure out but suspect this is a phishing attack. However when I break up the URL and try to go there directly it brings me to what looks like Instagram official page. I wonder if that site (with the .us domain) redirects you to the normal Instagram page if the URL is not formatted exactly as formed. For example, browsing only to the URL below takes me to Instagram:

http://com-verify-1489788456268679154344343179665471433.us

Does anyone have any idea if this is some official Instagram way of doing things or the next level of phishing scam, because it smells an aweful lot like it.

YouTube: www.devhackmod.com LBRY: https://lbry.tv/@winegaming:b Bandcamp Music Link
"Ye cannae change the laws of physics, captain" - Scotty
 

Offline edy

  • Super Contributor
  • ***
  • Posts: 2296
  • Country: ca
    • DevHackMod Channel
Re: Strange Instagram link... Feels like Phishing
« Reply #1 on: July 21, 2021, 02:30:03 pm »
I did a who.is lookup on the root domain and found this:

https://who.is/whois/com-verify-1489788456268679154344343179665471433.us

Quote

Registrant Contact Information:
Name
Michael Brown
Organization
N/A
Address
Nikolskaya St 87
City
Moscow
State / Province
Moscow
Postal Code
109012
Country
RU
Phone
+7.9636301018
Email


Administrative Contact Information:
Name
Michael Brown
Organization
N/A
Address
Nikolskaya St 87
City
Moscow
State / Province
Moscow
Postal Code
109012
Country
RU
Phone
+7.9636301018
Email


Technical Contact Information:
Name
Michael Brown
Organization
N/A
Address
Nikolskaya St 87
City
Moscow
State / Province
Moscow
Postal Code
109012
Country
RU
Phone
+7.9636301018
Email


Information Updated: 2021-07-21 14:28:01



(I'm surprised the information is not private, but I suspect it's fake or misleading)

... And this .....

https://who.is/whois/toyou174.xyz


Quote

Registrant Contact Information:
Name
Withheld for Privacy Purposes
Organization
Privacy service provided by Withheld for Privacy ehf
Address
Kalkofnsvegur 2
City
Reykjavik
State / Province
Capital Region
Postal Code
101
Country
IS
Phone
+354.4212434
Email


Administrative Contact Information:
Name
Withheld for Privacy Purposes
Organization
Privacy service provided by Withheld for Privacy ehf
Address
Kalkofnsvegur 2
City
Reykjavik
State / Province
Capital Region
Postal Code
101
Country
IS
Phone
+354.4212434
Email


Technical Contact Information:
Name
Withheld for Privacy Purposes
Organization
Privacy service provided by Withheld for Privacy ehf
Address
Kalkofnsvegur 2
City
Reykjavik
State / Province
Capital Region
Postal Code
101
Country
IS
Phone
+354.4212434
Email


Information Updated: 2021-07-21 16:10:02


It looks like they are popping up these domains faster than anyone can keep up and then trying to phish unsuspecting folks, not sure how they can leverage it for money or if it's used as leverage for more specific monetizable attacks.
« Last Edit: July 21, 2021, 04:16:08 pm by edy »
YouTube: www.devhackmod.com LBRY: https://lbry.tv/@winegaming:b Bandcamp Music Link
"Ye cannae change the laws of physics, captain" - Scotty
 

Offline UART.io

  • Newbie
  • Posts: 2
  • Country: us
    • Infosec, electronics, etc
Re: Strange Instagram link... Feels like Phishing
« Reply #2 on: July 31, 2021, 05:05:50 am »
Definitely phishing. That domain structure is pretty common and used to confuse people - It looks like instagram.com with the rest of the URL behind it, but the real domain is "com-verify-1489788456268679154344343179665471433.us" as you figured out. But, to most people, they just see the "instagram.com" portion and tune out on the gibberish afterwards.

Like you said, they stand these domains up quickly and send out phishing e-mails. The goal is typically credential capture - people "log in" and the attackers record the username/password, and then the victim is redirected to the official Instagram domain.
 
The following users thanked this post: I wanted a rude username


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf