Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: New (to me) scam attempt to hack Instagram  (Read 6151 times)

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
New (to me) scam attempt to hack Instagram
« on: November 28, 2018, 12:24:41 PM »

Over the past two days I had 4 emails supposedly from Instagram 2 of which say my email address has been changed on the account and the other two say my phone number had been removed. Now what initially raised suspicions was that the were sent to my Gmail address which is not associated with Instagram and the email address part in front of the @ was similar to my real gmail email but NOT correct as it had been split in two using a period. Looking at the source I could not see a genuine valid email address but the html looked just like a genuine Instagram email. Now all 4 emails were downloaded from my real Gmail account so somehow they managed to con Gmail into accepting the mail.

Good job I'm a suspicious type, anyone not looking carefully would probably clicking the link and end up losing control of their Instagram account.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: New (to me) scam attempt to hack Instagram
« Reply #1 on: November 28, 2018, 01:15:36 PM »

Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: New (to me) scam attempt to hack Instagram
« Reply #2 on: November 28, 2018, 02:24:42 PM »

Well that I believe is a huge hole in security and explains how I got the emails. I do not think that is reasonable at all, is there a way to turn that off?

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

j0hn

  • Kitizen
  • ****
  • Posts: 4093
Re: New (to me) scam attempt to hack Instagram
« Reply #3 on: November 28, 2018, 04:18:19 PM »

No.
You yourself own youremail@gmail.com and your.email@gmail.com and y.o.u.r.email@gmail.com

As many or as few periods as you like, you own them, nobody else can use them w/o your password.

edit: you can also use youremail+ anythinghere@gmail.com also works
« Last Edit: November 28, 2018, 04:21:11 PM by j0hn »
Logged
Talktalk FTTP 550/75 - Speedtest - BQM

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: New (to me) scam attempt to hack Instagram
« Reply #4 on: November 28, 2018, 04:20:48 PM »

I wonder why the scammers inserted the dots in the first place, if they already knew your correct address?   :-\

Have you checked your Instagram account (not by clicking the link!) to check what it contains as your address, just in case it really has been hacked?   I have no idea whether Instagram allows you to review “recent changes/activity”, but it so, might be worth a look.
Logged

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: New (to me) scam attempt to hack Instagram
« Reply #5 on: November 28, 2018, 05:10:02 PM »

First thing I did was to check Instagram myself and nothing changed. As I pointed out it is not linked to my Gmail account anyway. Genuine emails from Instagram come into an different account. I had no idea this was possible and frankly another nail in the coffin of Gmail for me unless I can turn this off, it's simply pointless as far as I can see.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: New (to me) scam attempt to hack Instagram
« Reply #6 on: November 28, 2018, 07:14:43 PM »

I don't see that it is a huge security hole, or even a small one. The perpetrators would need to know your Gmail address in the first place, or be very lucky to guess it correctly dots or not unless using something obvious like your name.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: New (to me) scam attempt to hack Instagram
« Reply #7 on: November 28, 2018, 07:39:04 PM »

I don't see that it is a huge security hole, or even a small one. The perpetrators would need to know your Gmail address in the first place, or be very lucky to guess it correctly dots or not unless using something obvious like your name.

Yes but my point is that I don't want this and as a user I should be able to decide to turn this off. I've never seen this anywhere else, I expect only the defined email to be the only thing accepted as valid. Not too much to ask.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: New (to me) scam attempt to hack Instagram
« Reply #8 on: November 28, 2018, 10:21:51 PM »

Only thing that comes to mind is to create a filter rule to delete any emails not to your the specific address, presuming that can be done of course.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

j0hn

  • Kitizen
  • ****
  • Posts: 4093
Re: New (to me) scam attempt to hack Instagram
« Reply #9 on: November 28, 2018, 11:04:34 PM »

You can indeed filter like that on gmail.
Anything not matching the exact email address you choose (with or without periods) can be sent straight to the bin.

Gmail is not the only email provider who do this.

I like it.
As the owner of JohnSmith@gmail.com I wouldn't want anyone else to be able to register John.Smith@gmail.com
Logged
Talktalk FTTP 550/75 - Speedtest - BQM

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: New (to me) scam attempt to hack Instagram
« Reply #10 on: November 29, 2018, 06:07:43 AM »

So therefore it actually adds security.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: New (to me) scam attempt to hack Instagram
« Reply #11 on: November 29, 2018, 08:12:13 AM »

So therefore it actually adds security.

I still believe that the option should be to deny such addressing and prevent the john.smith option by default unless the user wants it. If I could dump Gmail I would but so far it has not been possible but I will make more determined efforts now to do so.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: New (to me) scam attempt to hack Instagram
« Reply #12 on: November 29, 2018, 04:21:36 PM »

Many email services have a catch-all facility, where email sent to any old non-existing whoever@example.com can get sent to some particular user’s mailbox or get dumped. Services I have seen do allow you to just dump all incorrectly or non-specifically addressed email.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: New (to me) scam attempt to hack Instagram
« Reply #13 on: November 29, 2018, 10:56:10 PM »

I think there are two different scenarios here...

1) You have your own domain, and you want a catch-all for emails that are clearly intended for your domain but, lacking an accurate recipient,  would otherwise be undelivered.   Pretty much, as described by Weaver, it is common for mail hosting services to provide a way to catch these.

2) You use a public domain, such as gmail.com.   In that case, Google seem to have taken it upon the themselves to offer a broadly comparable feature, albeit way outside of the smtp protocol standards.  Trouble is, it is all very well for Google to say “We have had a great idea” and implement their own proprietary extensions to smtp but in reallity, they  leave themselves open to attacks such as described by Broadstairs.   And having set the precedent, and the illusion that it is useful, and 100s of millions of google users probably rely upon it, it would be very difficult to retract.  ???

To be clear the problem I foresee is... a scammer sends an email designed to get attention, by asserting “your email address has been changed”.   The recipient notices subtle changes (unexpected dots) and panics “Oh no, so it has”.   In the panic, a malicious link gets clicked.  :no:

I know of no other mail service, other than gmail, that have taken it upon themselves to ignore dots.    Remember, Google officially stopped “not being evil” some years ago now. :(
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 4093
Re: New (to me) scam attempt to hack Instagram
« Reply #14 on: November 30, 2018, 03:31:56 PM »

Your misunderstanding something.

Google don't ignore dots, they send them on. They don't remove them. Other email providers do the same.

My email host, on my personal domain, has the exact same.
If I send an email to John@mydomain.com I receive it.
If I send an email to J.ohn@mydomain.com I receive it.

With gmail, emails sent to the exact address you are logged in as (with or without periods) shows as
From: recipient
To: me

Emails sent with periods added/removed show as
From: Recipient
To: johns.mith@gmail.com

I don't want my email provider touching anything.
I have a period in my gmail address and still want my mail if someone forgets to use it or (As some places do for whatever reason) the period is automatically removed.
Logged
Talktalk FTTP 550/75 - Speedtest - BQM
Pages: [1] 2