OsintOps

Instagram password resets: what’s going on?

by

Francesco Poldi
in ,

Setting the stage

Across the week of 5th–11th of January many people posted on social media about unattended emails requesting password resets for their Instagram account(s). In this article we explore what actually happened, to the maximum extent of our knowledge and information available to us, and debunk some attempts by Social Media Influencers to alert the general public while delivering misinformation (i.e.: kinda disinformation but without bad intents).

The attack vector, if any attack happened

One of the most widespread attack vectors malicious actors use to take over online accounts is by notifying you with fake password reset requests. Nobody is actually trying to access your account, but credential harvesters make you believe so and invite you to access the platform’s security portal by clicking on a link provided by them. This is the trap: you are made to believe to access the legit security portal but actually the website you interact with is a clone controlled by malicious actors which log the entered credentials. But it doesn’t stop here: they go further by proxying 2FA TOTP forms to login on your behalf and store the access tokens. This is partly how some information stealers / grabbers work.

They often use well established and properly configured websites to avoid antispam filters but the malicious code lives in the email body: the link to click to verify the login request or password reset.

The current industry standards

For these phishing emails DKIM (a.k.a. DomainKeys Identified Mail; a cryptographic signature verification) is set, and it is also how they passed some of the MX level security checks.

Emails, before reaching your inbox, get sorted, filtered, labelled or even rejected by your referral MX server. Think of MX servers as post offices.

Before digging into the chaos, we need to better understand how email delivery works. Here’s what happens at a very simplistic level when Mario wants to send an email to Luigi:

  1. Mario uses an email client and composes an email to send to Luigi
  2. Mario’s MX server (e.g.: mx.mario.it) takes over the request, sets the headers and delivers the envelope to Luigi’s MX server
  3. Luigi’s MX server checks headers, IPs and metadata in general, and decides what to do based on both mario.it and mx.luigi.it’s rules
  4. Eventually the email is delivered in Luigi’s inbox, rejected, or Mario receives an error message

Sender Policy Framework

When Mario talks to his MX server’s SMTP service, he declares the value of the sender email address. In the past it used to be possible for anyone to connect to (almost any) SMTP server and ask it to deliver an email spoofing any sender address; since then technology and policies have evolved a lot.

While we don’t have control over who’s sending what, network administrators define instructions for MX servers on how to handle emails presented as coming from a user associated to the domain in question.

Let’s add Carlo, the malicious actor who wants to make Luigi believe he is Mario. Mario can’t control Carlo’s MX server but can give instructions to Luigi’s MX server through DNS records which (ideally) only Mario can control. Luca, a state-sponsored threat actor, could do DNS poisoning at internet level but at that point the entire internet would be compromised and emails would be the last of the concerns.

Mario’s network administrator sets SPF (Sender Policy Framework) records in mario.it’s DNS book to tell Luigi’s MX server, and the entire internet, to accept emails from mario.it only if sent from a determined set of IP addresses and reject them otherwise, for instance. So Luigi will receive an email from Mario only if the email was sent by Mario’s MX server. Luigi’s MX server will reject (not let through) Carlo’s email because Carlo’s MX server is not Mario’s MX server.

DomainKeys Identified Mail

DKIM is an authentication method used to verify the integrity and authenticity of email messages. It helps to prevent spoofing and phishing attacks by allowing the recipient to check that an email was actually sent from the domain it claims to come from.

Sounds similar to SPF, right!? That’s because both are for email authentication with the difference DKIM is about content integrity to ensure nothing got tampered during transit. It needs to be specified that this is not about the content being malicious or not, rather only that it didn’t get modified. If I send a phishing email from a domain that has DKIM set, and it doesn’t get tampered in transit, the recipient’s MX server considers it as valid. Plus, if it’s sent from the server which SPF considers as valid, the source is legit as well.

Domain-based Message Authentication, Reporting & Conformance

Put simply, DMARC is DKIM + SPF checks and more to ensure spoofing fails. A useful addition is that you receive reports from the MX servers which receive emails as coming from your domain.

Brand Indicators for Message Identification

While past settings are very easy to set and accessible to everybody, here we level up for real. Domain names that need a “blue check mark” to display to recipient email clients (not all of them though) need to set this up. The setup process also includes a documentation-based verification of the organisation/company, allowing access to this level of verification only to legit and qualified legal entities.

What does Instagram have to do with this?

“Did they send the email? Was it really them?”

Yes.

So please, (misinformation) Content Creators out there, reconsider your position and let the digitally competent do their thing.

At the time of writing, a single video had reached 3.7 million views. Don’t get me wrong: nothing against creators per se, other than misleading hundreds of thousands of people.

You may also reconsider the belief that it’s just an outlier and a one-off, but I’m sorry to inform you that this is not the case.

What’s misleading?

From their own words it is stated:

  • “[…] looks incredibly real […]”
  • “[…] blue check mark and everything […]”
  • “[…] this link […] actually takes you to Instagram […]”
  • “[…] this is actually an official Instagram email address […]”

Here is my unsolicited opinion: because it is.

Say “Hi!” to BIMI.

What malicious actor would spend this much effort to then direct you to the legit platform? So is it an official communication or phishing? What’s your position?

Now that we agree how they are misleading the audience by leveraging the “blue check mark”, let’s see what’s odd. That “blue check mark” is not the one that you can buy to get your profile “blue check marked”; it used to be only for legit sources. Anyway, emails are not social media posts.

The “blue check mark” is provided by Gmail itself and rendered in the UI, it’s not part of the sender text label and this can be easily verified by reading the email with an email client that doesn’t provide a “blue check mark” for BIMI verified senders.

Let’s verify Instagram BIMI

First we click on the right three dots and then on “Show original”, this opens a new browser tab with all the headers and content. At first we can see SPF, DKIM and DMARC followed by “PASS”. This is already a good starting point, don’t you agree?

Second step is to look up the “BIMI-Selector”.

Finally we can execute a dig query as the following:

dig TXT fb2025q1v1._bimi.mail.instagram.com

PEM file: https://instagram.com/cdn/cacheable/bimi_logo/instagram.pem

After downloading the PEM file, we can investigate better and see which CA provided it, for which company and more.

So let’s recap:

  1. Meta asked DigiCert to provide a CA signed certificate
  2. DigiCert did their thing (due diligence, background check, …)
  3. Meta hosts that certificate publicly for MX servers to retrieve and verify its authenticity
  4. Gmail checks Instagram DNS records and sees valid SPF, DKIM, DMARC and BIMI
  5. Gmail renders a “blue check mark” in the UI to inform you the communication is legit

And the second part of the video?

The second part is about the Instagram page about security related communications sent by Meta, and here there is another misunderstanding.

While, up to this point, what they say is true, they conclude by stating something close to “here you don’t see their password reset communication so it must be phishing”.

Well… what a roller-coaster of a ride!

Here we see a couple of cognitive biases: premature closure and confirmation bias. They didn’t verify all the information available to them — no blame, it’s not their fault if they’re not knowledgeable in the matter but it is still their responsibility to correctly inform users. The confirmation bias is noticeable when they use their (wrong) understanding to support their position.

Nevertheless, I absolutely share their recommendations to:

  • Don’t click on links coming from emails you are not expecting
  • Check the security communications page on Instagram
  • Pay attention