The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime attack Instagram users with the copyright infringement scam
Sophos: Cybercrime spread a phishing campaign, using Instagram as a lure and a fake copyright infringement to scam users
New cybercrime attack on Instagram user, with the lure of copyright infringement alerts to steal credentials. It has been discovered by Sophos cyber security experts. The phishing message reports that the social media platform “detected contents in your account that will violate copyright laws. Your account will be deactivated within 48 hours, unless you provide feedback. As Instagram, we respect copyrights and take care to protect “ them. To solve the issue, the email invites you to click on the “Copyright Objection Form” button. The link redirects the victims to the phishing landing page. The aim of the cyber criminals is to steal sensitive information from the users. In particular, the social media credentials. If the victims fall in the scam, they are told to wait 24 hours to be contacted by Instagram via mail.
The cyber security experts: The goal of the cyber criminals is to steal sensitive information (credentials), playing on the sense of urgency and few tricks to simulate that the requests are legit
According to the cyber security experts, cybercrime play on the sense of urgency of the victims (48 hours before the deactivation of the Instagram account) to grab sensitive info. The phishing campaign authors are using a free “.CF” domain name, “left stuffed” with subdomain text that disguises its bogus origins. They have acquired an HTTPS certificate for their imposter website, so users will see the necessary and expected padlock in their browser. They added an age check to the page, apparently in a two-faced effort too. Not only to make it look more realistic, but also to go after an additional item of personal data, namely the victim’s birthday. Once the scam is completed, users are redirected to the Instagram’s real login page.