Hello. I'm in luck today, I was subject to a phising attempt on Instagram. Sweet! This time, I'll do the complete analysis without making any break, so the website should hopefully not be taken down while I'm studying it.

I received this message on my Instagram inbox:

Basically, my picture are being used to shame me publicly. I must take a look! This is what happens when I click on the link:

As expected, we're promped with an Instagram login form, the URL is https://insta.mostannoying.me/ . This is of course a phishing attempt.
Ok, first things first, I'm going to open this link on my computer. But there's a problem: when I try to access this website from my computer, I'm redirect to instagram.com, the real website. How can it be? Even with google chrome on my iPhone, I'm also redirected to instagram.com! The answer is simple: they're filtering the access to the phising page based on the user-agent of the client. This is a pretty clever trick, but's it's easy to bypass. After a quick search, here is an instagram web browser user-agent:

instagram user agent

Mozilla/5.0 (iPhone; CPU iPhone OS 11_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15F79 Instagram 52.0.0.14.164 (iPhone8,2; iOS 11_4; pt_BR; pt-BR;     scale=2.61; gamut=normal; 1080x1920)

By using the developer mode of google chrome, it's easy to input a custom user-agent.

Bingo! I'm now accessing the phishing form.
The domain seems to be protected with cloudflare, this prevents us from finding the server IP address. This is no problem, I'll just try to get a 404 response by going to a random URL, like insta.mostannoying.me/toto. This tells us that their server is running nginx on Ubuntu.

This is a valuable information, because it means they are probably using a VPS / Decicated server and not a shared web hosting.
Now, let's take a look at the form:

<form action="login.php" method="POST" class="_rwf8p" data-reactid=".0.1.0.1.0.1.2">
    <input type="hidden" id="dim" name="dim" value="{&quot;w&quot;:1680,&quot;h&quot;:1050,&quot;aw&quot;:1680,&quot;ah&quot;:971,&quot;c&quot;:24}">
    <div class="_ccek6 _i31zu _d16kf" data-reactid=".0.1.0.1.0.1.2.0">
        <input class="_kp5f7 _qy55y _k3bmq" aria-describedby="" aria-label="Username" aria-required="true" autocapitalize="off" autocorrect="off" maxlength="30" name="username"                placeholder="Username" value="" data-reactid=".0.1.0.1.0.1.2.0.0" type="text">
    </div>
    <div class="_ccek6 _i31zu _d16kf" data-reactid=".0.1.0.1.0.1.2.1">
        <input class="_kp5f7 _qy55y _k3bmq" aria-describedby="" aria-label="Password" aria-required="true" autocapitalize="off" autocorrect="off" name="password"      placeholder="Password" value="" data-reactid=".0.1.0.1.0.1.2.1.0" type="password">
             <div class="_j4ox0" data-reactid=".0.1.0.1.0.1.2.1.1">
                    <a class="_19gtn" href="http://www.instagram.com/accounts/password/reset/" data-reactid=".0.1.0.1.0.1.2.1.1.0">Forgot?</a>
         </div>
    </div>
    <span class="_rz1lq _e616g" data-reactid=".0.1.0.1.0.1.2.2"><button class="_aj7mu _taytv _ki5uo _o0442" data-reactid=".0.1.0.1.0.1.2.2.0">Log in</button></span>
</form>

The form action is login.php, and the parameters are username and password. This means I can make a request like https://insta.mostannoying.me/login.php?username=toto&password=tata.

We can also obtain these informations by using the network tab of chrome dev tool. This is what is shows:

We can also see that the dimensions of my (fake) screen are also passed to login.php:

The website was taken down while I was auditing it, so I can't go deeper once again :(

Blog Comments powered by Disqus.