Instagram users have been receiving a flow of weird messages from their own followers expressing surprise that their accounts have ended up on something called the “Nasty List“. When you receive the message, it will be embedded with a link that will look a lot like this:
“OMG you’re actually on here, @TheNastyList_xx, your number is 29! It’s really messed up.”
Before we continue, keep in mind the list, and the placement of numbers can vary. If you take a moment to reflect on it, the message looks dubious at best. The problem is that social media work with fast clicks, and that is a lot of people do, not aware of the trouble they are about to face.
So far there were 7 possible methods to hack into Instagram account, according to research from Taia Global. And this puts the newly discovered Nasty List one as the eighth on the list.
According to the site Bleeping Computer, if anyone clicks on the “Nasty List” profile link it will lead to a website containing a second link stating that it will allow the user see everyone on the list if they click on it.
Taking Notice of The Attack as it happens
If you are web-conscious you probably have figured out what happens next: if you follow the link you will be asked to enter your Instagram login information, and you will lose your account. This occurs because the landing Instagram webpage is not a legit one, but no one notices this until it’s too late.
If someone inputs their information to log in to the platform again, their account will instantly be contaminated with a malware that resends all your contacts the same link with the same message telling them that they are on the Nasty List too, making this social media phishing attack expand like a wave.
Everyone who is affected also hands over full control of their accounts to criminals to do whatever they want with them. One of the early victims noticed this was happening when he discussed the attack on a Reddit thread.
He said that as soon as he clicked on the link, he was exited out of Instagram without realizing it was a hack. A day later, the messages were sent to all his contacts. He changed his password and switched to two-factor authentication to access his account. Did the bot still have access to his account? Apparently, it did so it was too late
Why So Many People Keep Falling For This?
One of the first things you need to notice to avoid this scam is entering any information on the new landing page. No link should ever log you out of the platform. If you don’t log in back again using the link offered, you will be safe.
If you had previously set two-factor authentication via SMS or any authenticating app, you should be ok too because it is much more difficult for hackers to bypass this type of security. If you haven’t activated this function, go to your Instagram profile and select the hamburger icon. Then choose Settings, go to privacy and security, and enable Two-factor authentication by following the instructions given to you.
If you feel there is a risk of your account being compromised, you need to immediately change your password to a new one and turn on two-factor authentication. Double check to make sure that the e-mail address and the phone number associated with your account haven’t been changed.
If by any reason you use the same password for Instagram on other social media accounts you will have to change those too. Make sure to have different passwords for each account. The Password Manager app can help you with this. It#s available on Google Play or the Apple’s App Store.