Originally seen on April 13, 2019: Bleepingcomputer by Lawrence Abrams
A new phishing scam called the “The Nasty List” is sweeping through Instagram and is targeting victim’s login credentials. If a user falls victim, the hackers will utilize their accounts to further promote the phishing scam.
The Nasty List scam is being spread through hacked accounts that send messages to their followers stating that they were spotted on a so-called “Nasty List”. These messages state something like “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.”
According to screenshots shared with BleepingComputer, the scammers attempt to send these messages to all followers of a hacked account.
If a recipient visits the listed profile, it will be named something like “The Nasty”, “Nasty List”, or “YOUR ON HERE!!”. The profiles include a description similar to “People are really putting all of us on here, I’m already in 37th position, if your reading this you must be on it too.” or “WOW you are really on here, ranked 100! this is horrible, CANT WAIT TO REVEAL THE TOP 10!” as shown below.
These profile descriptions also include a link that supposedly allows you to see this Nasty List and why you are on it. For example, the above profiles are using the URL nastylist-instatop50[.]me, which when visited will display what appears to be very legitimate looking Instagram login page.
While the above page looks real, it is important to pay attention to the URL listed at the top of the window as indicated by the red arrow in the image above. As you can see this login page is actually located at nastylist-instatop50[.]me, which is obviously not a legitimate Instagram site.
To avoid falling for an Instagram phishing scam like the Nasty List, if you are at a page that does not belong to the instagram.com web site, never enter your login credentials.
What to do if you were hacked by this scam?
If you have been hacked by the “Nasty List” phishing scam and you still have access to your account, the first thing you should do is verify that your account is using the correct phone number and email address.
You can do this by going to your profile and selecting Edit Profile. Then scroll to the bottom to view your email address and phone number. If it’s not correct, try to change it to the correct information.
Once you have correct email and phone number listed, you want to change your password by following these instructions.
Once you have changed your password, all devices currently logged into your account will be logged off. You can then log back in to regain control of your account.