Sunday, August 27, 2017

Instagram hosting & victim of a phishing attack

Read this article in Spanish / Lea en Español aqui.

Yesterday I was browsing my friend's stories in Instagram and I saw an interesting ad from Adidas. I decided to follow the link.

The in-app Instagram web browser took me to a fabulous Adidas webpage showing an amazing 80% off in lots of products. I found several products I'd like to buy, because it was an amazing deal!

Decided to start shopping, I went to my computer and entered the Adidas website (searching it in Google). For my surprise there was no promotion at all. Back on my phone I opened the url in Chrome instead on Instagram. Chrome showed a red warning sign saying I was entering a dubious website and that I was likely going to be victim of scam.

I was thrilled to see this. Leaving egos aside, and as a software engineer, I found myself several times realizing of cheap scams/phishing attacks. But this one took me by surprise.

There were some hints that arose distrust on myself, but I didn't paid attention. My goal in this blog post is share this hints in the hope that others will learn about this sophisticated scams. Why sophisticated? Well, the criminals behind this phishing attack were hosting an actual ad campaign in Instagram. What's worst, Instagram didn't paid attention about the fake Adidas ad and posted it without verifying that the brand was used to redirect users to a fraudulent website.

Hint no 1: Check the web domain
Usually big brands own their own name in the web. So, Adidas is expected to have an official store like Now, check below the domain of the screenshot I took from my phone (the domain is the 'words' that start with 'www.' and end with '.com'). See that the domain contains a "-yeezyboost" at the end.

If you ever notice the website of a big brand using a dubious web domain, then that's a bad sign.

Hint no 2: Pay attention to the detail
Usually attackers don't invest much time on preparing a full working fake website, or sometimes make mistakes on the finishing of the website. In the following screenshots you will see that the floating text scapes the top bar, that is not well located and it just feels bad looking.

Also check for grammar or spelling mistakes, such as in the following example. This is something a professional brand like Adidas will never do -- show a bad image by publishing content unprofessionally.
'We' should have been capitalized both times

Hint no 3: be a bit skeptical
If it is too good to be true, maybe it is not true at all!

Extra protection
Well, anyone can overlook this hints and still try to interact with the malicious website, and the bad guys may be able to get something from us (credit card info, personal info, infect our computers). But fortunately there are other ways to protect ourselves, even for the careless and negligent users.

Use a safe web browser! Chrome and Firefox immediately warned me about the phishing attack. But Safari didn't. Safari allowed me to browse the website, create an account, even populate the shopping cart and go all the way.

Firefox alerting about the malicious website.

Note: to give some credit back, by the end of day (~6 hours later) I checked again and Safari is showing a warning stating the website is malicious.

Additionally, and for my surprise, I shared with myself the dubious URL via email, sending an email to myself (within my Gmail account). This is what happened:

Stay safe, and when in doubt check with someone else! A person? Yes, well you can also ask Google in this convenient tool: