Setting the stage
Across the week of 5th-11th of January many people posted on social media about unattended emails requesting password resets for their Instagram account(s). In this article we explore what actually happened, to the maximum extent of our knowledge and information available to us, debunk some tentative of Social Media Influencers alerting the general public while delivering misinformation (i.e.: kinda disinformation but without bad intents).
The attack vector, if any attack happened
One of the most wide spread attack vectors malicious actors use to take over internet account is by notifying you with fake password reset requests. Nobody is actually trying to access your account but credential harvesters make you believe so, therefore invite you to access the platform’s security portal by clicking on a link provided by them. This is the trap: you are made to believe to access the legit security portal but actually the website you interact with is a clone being controlled by malicious actors that register the credentials you submit but it doesn’t stop here; they step up to the next level proxying 2FA TOTP forms in order to access on your behalf and store access tokens. Partially, this is how some information stealers / grabbers work.
Often they use aged and properly setup websites in order to avoid SPAM filtering but the malicious code resides in the body of the email: the link to click on to review the access request or password reset.
Nowadays industry standards
For these two phishing emails DKIM (i.e.: DomainKeys Identified Mail; a cryptographic signature verification) is set and that’s also how they have passed some of the security checks at MX level.
Emails, before reaching your mailbox, are dispatched, filtered, labelled, or even rejected, by your MX server of interest. Think about the MX servers as the postal offices.
Before delving into chaos we have to better understand how email delivery works. Here’s what happens at a very simplistic level when Mario wants to send Luigi an email:
- Mario uses an email client composes an email to be sent to Luigi
- Mario’s MX server (e.g.: mx.mario.it) takes charge of the request, sets headers, delivers to Luigi’s MX server the envelope
- Luigi’s MX server checks headers, IP, and metadata in general, and decides what to do based on rules of both mario.it and mx.luigi.it
- Eventually either the email is dispatched to Luigi’s mailbox, rejected or Mario receives an error message
Sender Policy Framework
When Mario communicates with the SMTP service of his MX server declares the sender email address value. Back in the days it was possible for everybody to connect to (almost any) a SMTP server and prompt it to deliver an email spoofing any sender email address; since then technology and policy evolved widely.
While we don’t have control over who is sending what, network administrators define instructions for MX servers on how to deal with emails presented as coming from an user associated to the subject domain name.
Let’s add Carlo, the malicious actor who wants to make Luigi believe he’s Mario.
Mario cannot control Carlo’s MX server, but can provide instructions to Luigi’s MX server via DNS records that (ideally) only Mario can control. Luca, a state sponsored threat actor could do DNS poisoning at internet level but in this case the whole internet would be broken and no emails to worry about.
Mario’s network administrator sets SPF (i.e.: Sender Policy Framework) records into the DNS book of mario.it in order to tell Luigi’s MX server, and the entire internet, to accept emails from mario.it if coming from a set of IP addresses and reject otherwise, for example. Therefore Luigi will receive an email from Mario only if the email got sent from Mario’s MX. Luigi’s MX server will reject (i.e.: not let go through) Carlo’s email because Carlo’s MX server is not Mario’s MX server.
DomainKeys Identified Mail
DKIM is an authentication method used to verify the integrity and authenticity of email messages. It helps prevent email spoofing and phishing attacks by allowing the recipient to check that an email was indeed sent by the domain it claims to be from.
Sounds similar to SPF, right!? That’s because both are for email authentication with the difference DKIM is about content integrity to ensure nothing got tampered during transit. It needs to be specified that this is not about the content being malicious or not, rather only that it didn’t get modified. If I send a phishing email from a domain that has DKIM set, and it doesn’t get tampered in transit, recipient’s MX server considers it as valid. Plus, if it’s sent from the server which SPF considers as valid, the source is legit as well.
Domain-based Message Authentication, Reporting & Conformance
Put simply DMARC is DKIM + SPF checks and more to ensure spoofing fails. An useful addition is that you receive reports from the MX servers which receive emails as coming from your domain.
Brand Indicators for Message Identification
While past settings are very easy to set and accessible to everybody, here we level up for real.
Domain names that need a “blue check mark” to be displayed to receiver email clients (tho, not all) do need to set this up. The configuration process consists also in a paper work verification process of the organisation / company allowing only legit and qualified legal entities access this level of verification status.
What’s about Instagram?
“Did they send the email? Was it them?” Yes. So please, (Misinformation) Content Creators out there reconsider your position and let digital literate people do their thing.
At the time of this writing, this video alone got 3.7M views. Don’t get me wrong: nothing against the creators per se, other than misleading hundreds of thousands of people. You may also reconsider the belief this is just an exception and isolated case, but I’m sorry to inform you this is not the reality.
What’s misleading?
As per their own words the following is stated:
- “[…] it looks so freaking real […]”
- “[…] blue check mark and all […]”
- “[…] this link […] does actually take you to Instagram […]”
- “[…] this is actually an official email address from Instagram […]”
Here follows my unasked opinion:
- Because it is
- Say “Hi!” to BIMI
- What bad actor would spend so much effort and eventually direct you to the legit platform?
- So is it an official communication or phishing? What your position?
Now that we agree how they are misleading the audience by leveraging the “blue check mark” let’s see what’s odd.
That “blue check mark” is not the one that you can buy to get your profile “blue check marked”; it used to be only for legit sources. Anyway, emails are not social media posts.
The “blue check mark” is provided by GMail itself and rendered in the UI, it’s not part of the sender text label and this can be easily verified by reading the email with an email client that doesn’t provide a “blue check mark” for BIMI verified senders.
Let’s verify Instagram BIMI
First we click on the right three dots and then on “Show original”, this opens a new browser tab with all the headers and content. At first we can see SPF, DKIM and DMARC followed by “PASS”. This is already a good starting point, don’t you agree?
Second step is to lookup for the “BIMI-Selector“:
Finally we can execute a dig query as the following:dig TXT fb2025q1v1._bimi.mail.instagram.com
After downloading the PEM file, we can better investigate it and actually see which CA provided that, for which company and more:
So, let’s recap:
- Meta asked DigiCert to provide a CA signed certificate for them
- DigiCert did its job (e.g.: due diligence, background check, …)
- Meta hosts that certificate publicly so that MX servers can retrieve it, and very its authenticity
- GMail checkout DNS records for Instagram and sees valid SPF, DKIM, DMARC and BIMI
- GMail renders a “blue check mark” in the UI to inform you the communication is legit
What about the second part of the video?
In the second part is about the Instagram page about security related communications delivered by Meta, and here’s another misunderstanding. While, until now, what they say is real, they conclude by stating something close to “here you don’t see their communication about the password reset therefore that must be phishing”. Well… what a wild roller caster like this ride is being!
Here we see a couple of cognitive biases: premature closure and confirmation bias. They didn’t verify all the information was available to them, no blame here because it’s not their fault if they are not literate but still it remains their responsibility to properly inform users. Confirmation bias can be seen when they use their (mis)understanding in order to hold their position.
Still, I do absolutely second their recommendations to:
- not click on links from emails you are not expecting
- check out the security communications page on Instagram
- watch-out
Leave a Reply