Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Watch out! Don’t fall for the Instagram ‘Nasty List’ phishing attack

16 Apr 2019 1 Instagram, Security threats, Social networks

Post navigation

Previous: Google’s location history data shared routinely with police
Next: Microsoft confirms Outlook.com and Hotmail accounts were breached
by John E Dunn

For nearly a week, Instagram users have been receiving odd messages from followers expressing shock that their accounts have somehow ended up on something called the “Nasty List.”

If you receive one, the message with an embedded link will look something like the following example (the list and placement numbers vary):

OMG your actually on here, @TheNastyList_xx, your number is 26! its really messed up.

In the cold light of day, it looks dubious but social media is all about rapid clicking so that’s what some people do, unaware of the danger they are heading towards.

According to Bleeping Computer, clicking on TheNastyList profile link leads to a page containing a second link that says it will let the user see everyone on the imaginary list.

Readers will probably have worked out what’s coming next – anyone following this is asked for their Instagram username and password (the link on the login page isn’t a legitimate Instagram address but it seems a lot of people don’t notice this).

Anyone entering their credentials will find themselves in a spot of trouble, starting with their entire base of followers receiving the same message telling them that they too are on the Nasty List – and so the social media phishing attack grows.

They’ll also potentially have handed control of their account to criminals to do whatever they want with.

As one of the early victims noticed when discussing the attack on a Reddit thread:

As soon as I clicked the link I exited out of it realizing it was a hack, but a day later the messages were sent. I changed my password and turned on two factor authentication. Does that mean the bot still has access to my account?

24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.
Learn More

Too late

It’s easy to say don’t fall for it, but what if people do fall for it?

First, as long as you are sure you didn’t enter your credentials on the fake login page, you should be safe.

If you did enter your credentials but are using two-factor authentication (2FA) via SMS or an authenticator app, you should be ok because it’s much more difficult for criminals to bypass that.

2FA can be set up on Instagram by going to your profile and selecting the hamburger icon. Then choose Settings > Privacy and security > Two-factor authentication and follow the instructions on the page.

If there’s a risk that your account has been compromised, you should immediately change your account password, turn on 2FA, and double check to make sure that the email address and phone number associated with the account haven’t been changed.

If you’ve used the same password for Instagram on other online accounts you should immediately change those too. And make the new passwords different for each account – password managers really help with this.

For more on locking down your Instagram account, read the Naked Security guide.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Google’s location history data shared routinely with police
Next: Microsoft confirms Outlook.com and Hotmail accounts were breached

One comment on “Watch out! Don’t fall for the Instagram ‘Nasty List’ phishing attack”

  1. Molly Fields says:
    May 5, 2019 at 9:37 pm

    I was so scared about this all my followers were sending this to me I was like WHAT?? I’m like the nicest person in my school haha

    Reply

What do you think? Cancel reply

Recommended reads

Dec14
by Paul Ducklin
2

Apple patches everything, finally reveals mystery of iOS 16.1.2

Jan04
by Paul Ducklin
0

Serious Security: How to improve cryptography, resist supply chain attacks, and handle data breaches

Dec28
by Paul Ducklin
0

Twitter data of “+400 million unique users” up for sale – what to do?

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP