Not a day goes buy when we see one scam or phishing attempt and this one is no different and is something to watch out for just in case as these things tend to get nascent quickly and for those who use Instagram daily which many of us do you need to take note. This time, the crooks are tapping into a concern that many of us have – falling foul of copyright law.
Sophos has provided some useful information on the latest warning which is copyright infringement and it just not true..
As in the previous case of Instagram phishing, the crooks are using a free .CF domain name, “left stuffed” with subdomain text that disguises its bogus origins.
Remember that once you have the right to use a domain such as example.com, you also acquire the right to create subdomains such as www.example.com, anytext.youlike.example.com, or even (as in this case) instagram.copyrightinfringementappeal.example.com.
If there isn’t room in your browser’s address bar for the full domain name – and on a mobile device, there almost certainly won’t be – then the browser will show you the believable left-hand end of the domain and hide the important part at the right-hand end.
Here are five more tips for staying out of trouble:
- Look out for obvious errors. In this attack, the crooks were careless with the email they sent. It contains numerous grammatical and typographic errors, which are a big giveaway. Closer inspection would reveal that the email came from a Turkish hosting company, and that the clickable button in the email itself leads to a bogus
.CFdomain, not where you might expect in the case of an Instagram page. - Check your address bar. If a web address is too long to fit cleanly into the address bar of your browser, take the trouble to scroll rightwards in the address text to find the right-hand end. Closer inspection would quickly reveal the bogus domain name here.
- Consider using a password manager. Good password managers associate usernames and passwords with already-known login pages, so your password manager wouldn’t offer to fill in an unexpected password field on an unknown web domain – it simply wouldn’t know what account to use.
- Never login via email links. If you need to login to a site such as Instagram for some official purpose, find your own way there, for example via a bookmark you created earlier, or by using the official mobile app. That way, you’ll avoid putting your real password into the wrong site.
- Learn how your online services really handle disputes or security issues. Don’t get taken in by warnings you receive by email. Find your own way to the real site and use the service’s own help pages to find out how things really work. That way, you’ll be much harder to con.
And a bonus sixth tip if you’re looking after other users…
- Make sure your users are clued up. Phishing emails like the one shown here are easy to fall for because of their elegant simplicity – by copying distinctive pages from well-known brands, the crooks keep your suspicions low. Sophos Phish Threat lets you train and test your users using realistic but safe phishing simulations.