For nearly a week, Instagram users have been receiving odd messages from followers expressing shock that their accounts have somehow ended up on something called the “Nasty List.”
If you receive one, the message with an embedded link will look something like the following example (the list and placement numbers vary):
OMG your actually on here, @TheNastyList_xx, your number is 26! its really messed up.
In the cold light of day, it looks dubious but social media is all about rapid clicking so that’s what some people do, unaware of the danger they are heading towards.
According to Bleeping Computer, clicking on TheNastyList profile link leads to a page containing a second link that says it will let the user see everyone on the imaginary list.
Readers will probably have worked out what’s coming next – anyone following this is asked for their Instagram username and password (the link on the login page isn’t a legitimate Instagram address but it seems a lot of people don’t notice this).
Anyone entering their credentials will find themselves in a spot of trouble, starting with their entire base of followers receiving the same message telling them that they too are on the Nasty List – and so the social media phishing attack grows.
They’ll also potentially have handed control of their account to criminals to do whatever they want with.
As one of the early victims noticed when discussing the attack on a Reddit thread:
As soon as I clicked the link I exited out of it realizing it was a hack, but a day later the messages were sent. I changed my password and turned on two factor authentication. Does that mean the bot still has access to my account?
Too late
It’s easy to say don’t fall for it, but what if people do fall for it?
First, as long as you are sure you didn’t enter your credentials on the fake login page, you should be safe.
If you did enter your credentials but are using two-factor authentication (2FA) via SMS or an authenticator app, you should be ok because it’s much more difficult for criminals to bypass that.
2FA can be set up on Instagram by going to your profile and selecting the hamburger icon. Then choose Settings > Privacy and security > Two-factor authentication and follow the instructions on the page.
If there’s a risk that your account has been compromised, you should immediately change your account password, turn on 2FA, and double check to make sure that the email address and phone number associated with the account haven’t been changed.
If you’ve used the same password for Instagram on other online accounts you should immediately change those too. And make the new passwords different for each account – password managers really help with this.
For more on locking down your Instagram account, read the Naked Security guide.
