I’ve come across a FB app yesterday that raised my red flags at the first point of viewing the URL which has a typo:

Opening the URL presented me with an application interface that claims to be an Instagram login interface asking for credentials in order to grant access to the application

Using Facebook apps to phish for Instagram credentials

It was clear that it’s a phishing campaign conducted in an unprofessional method particularly the french language used on the interface, trying to enter random fields’ values redirected me to a page in the Arabic language

Using Facebook apps to phish for Instagram credentials

Now after recognizing this, i decided to identify the main backend server used to harvest victims ‘ credentials

Using FB apps to phish for instagram credentials

After opening the following URL: https://websitet7.com/qi/ins/?i=1108114

the main backend website interface that serves and receives harvested credentials has appeared

Using FB apps to phish for instagram credentials

I tried this time to type in random email and password to where this page would redirect me after hypothetically harvesting my instagram credentials and indeed I was redirected to a proxy server web page

Using FB apps to phish for instagram credentials

Lessons learned:

1- facebook apps do not request credentials for third party services and it even does not ask you for your Facebook login info unless you need to login

2- Do not type in your login information into any application or webpage unless you make sure it belongs to the website it claims to be

3- Take a step forward and report the main phishing URL to Cisco Talos intelligence group to blacklist the IP and prevent other people to fall victimized to this

4- if it was a Facebook phishing, report the Facebook app URL to phish@fb.com to take down the app


About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles