Instagram Nasty List Is A Phishing Scam in Disguise
Instagram users are the targets of a new social media phishing attack called the Nasty List Attack. In this phishing scam Instagram users receive a direct message from a hacked account. The message informs the user that they are listed on an internet Nasty List. The message also urges them to go to a spoofed website that phishes for login credentials.
These Nasty List phishing messages state something like “OMG your actually on here, @TheNastyList_9, your number is 18! it’s really messed up.” The attack was first reported on Reddit.
The two numbers used in the message for username and list position vary.
If the recipient goes to the profile listed in the direct message, in this example @TheNastyList_9, they receive more instructions on how to see this list. The BleepingComputer.com post shows screenshots of the messages. One fake Instagram profile contained this intimidating message, “ If a recipient visits the listed profile, it will be named something like “The Nasty”, “Nasty List”, or “YOUR ON HERE!!”. The profiles include a description similar to “People are really putting all of us on here, I’m already in 37th position if your reading this you must be on it too.” or “WOW you are really on here, ranked 100! this is horrible, CANT WAIT TO REVEAL THE TOP 10!” as shown below.”
The bogus profile contains a link in the bio that leads to a spoofed webpage. The link claims the page publicly shows everyone on the imaginary list, including them.
The link given in the profile is an obvious fake. Examples include nastylist-instatop50[.]me. If the message recipient mistakenly clicks on the link in the bogus Instagram profile, it takes them to a fake website that is designed to look like an Instagram webpage. The spoofed webpage phishes for your Instagram username and password. If you enter your username and password the Nasty List phishing message is sent to all your Instagram contacts. Notice the misspelling in the message. The word “your” should be spelled “you’re” and “cant” should have an apostrophe. Typos are always a good indicator of spam and phishing messages. Apparently, hackers cannot spell very well, and they frequently give themselves away with these mistakes. A close look at the URLs used in the messages is another clue that this is a cyber attack. The URL appears to be an Instagram address but is not.
Phishing messages are any email, text message, or website that attempts to gather personal information from the reader. A phishing message may direct you to a spoofed (copycat) webpage that prompts the reader to enter login credentials or more like credit card or banking information. In any case, the phishing message is trying to steal from the victim.
What to Do If You Are Affected by the Instagram Nasty List Phishing Scam
- If you were fooled by the Nasty List phishing scam, there are a few steps you should take immediately to protect yourself online
- Change your Instagram
- Turn on two-factor authentication (2FA)
- Use an authenticator app for this and al social media accounts
- Stop using Public WiFi to log into social media
To Turn in Instagram Two-factor Authentication (2FA)
- Open the Instagram app and log into your Profile
- Tap your photo icon on the bottom right of the app
- Tap the hamburger menu at the top right of the app screen to open a menu
- Select Settings gear at the bottom of the menu
- Scroll down to the Privacy and Security section and open it up
- Tap the Two-factor authentication option
- Tap Get Started
Choose the 2FA method you’d like to use – Text message, a mobile authentication app, or both. SMS text messaging is the easiest way to set up two-factor authentication. Follow the rest of the instructions. You will have to create a few account recovery codes in case you lose the device you are using for 2FA. Once 2FA is set up you will receive a confirmation email to the email address associated with your account. This is the email address that Instagram will use in case two-factor authentication is disabled in the future.
While you are in the Privacy and Security section of your accounts, select Change Password and choose a new one to secure your account. It’s good practice not to use the same password for your Instagram and the email address attached to it.
Make sure the correct phone number is listed on your Instagram account.
Michelle writes about cyber security as well as how to protect your data online. She has worked in internet technology for over 20 years Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. She published a guide to Cyber Security for Business Travelers