When it comes to social media social engineering, the whole "fool me twice shame on me" thing doesn't apply. This is mainly because cyber criminals have gotten so good at tricking users into willingly turning over their account credentials. Some of these schemes are clever enough that a user can't really be blamed for falling for it twice.
One such scam is the newly resurfaced InstaCare threat. This spear-phishing tactic tricks users of the popular image-sharing social network into giving away their login information.
An old trick with a new name
According to Trend Micro, InstaCare is hardly a new concept. Last November, nearly half a million Instagram users downloaded an application called InstaAgent from the Apple App Store. As many as 100,000 Android users also downloaded the application.
The allure of InstaAgent isn't hard to see. Upon relinquishing Instagram login credentials to the app, InstaAgent claimed that it could show you how many people have viewed your account, and exactly who these viewers are. For small businesses that are trying to conduct social media market research, or even just a user that's interested in knowing who's watching them, this type of application has obvious benefits.
Unfortunately, there's a big catch. A German developer realized that the login credentials were being sent to a remote server. With this information, scammers are free to post content to users' Instagram pages. If this sounds vaguely familiar, it's because it's happened before on other social media websites. Remember Facebook Profile Viewer? If you don't, it basically applies the same concept as InstaAgent. The only difference is that it steals your Facebook credentials.
InstaAgent was promptly removed from the Apple App Store and Google Play upon discovery that it was a scam.
Still effective after all these years
One might go as far to say that the profile viewer scam is one of the oldest tricks in the book – or should we say, the "Face" book. Nevertheless, users continue to fall for it. In fact, InstaCare does literally the same exact thing that InstaAgent does. And despite history's warnings, users have fallen just as hard this time around.
Once again, the credential stealing app was listed as a top download in the Apple App Store in several countries. The good news, as noted in a Trend Micro blog post, is that the app seems to have been taken down from both the App Store and Google Play. The bad news is that by then, it had already done its damage.
Trend Micro also stated that to date, there have been no legitimate profile view applications. In fact, InstaCare is just one among a bevy of online apps promising to tell you who is viewing your profile. None of them are supported by any popular social media outlet.
That said, it's unlikely that people will stop falling for this scam any time soon, especially since they continue to target new generations of social media users. What newly subscribed middle schooler wouldn't want to see if their crush has been viewing their profile? Not to mention, the fact that InstaAgent and InstaCare both made it to the Apple App Store and Google Play makes these scams seen all the more legitimate.
Going forward, the best thing social media users can do is to follow one very simple rule: Do not give your login credentials to any application, or any person. In reality, no software and no other human being should need access to your login and password, and sharing this information is only bound to end in a privacy violation or snooping.
Caution and vigilance are still the best defenses Internet users can employ against the growing number of cyber threats targeting social media.