Nasty List — Another Instagram phishing attack

Instagram is a social media network full of people just like us — eager to connect, share news, and experience things together. And it has a jaw-dropping 1 billion users worldwide, all connected by this giant network through which trends, news, and hoaxes flow and either fizzle out, or spark into a fire.

When someone gets a direct message on Instagram, something like “OMG, your totally on the Nasty List! this is horrible”, they will naturally be curious about it. “Your at number 38!” — wow, why? What’s this Nasty List?

What The Nasty List is is the newest phishing scam targeted at Instagram users. Direct messages are being sent to people from hacked accounts, pointing to a profile which links to The Nasty List:

“People are really putting all of us on here, I’m already in 37th position, if your reading this you must be on it too”


In reality, the link leads to a phishing site. The phishing site mimics the appearance of a real Instagram login page, and its web address is not associated with Instagram. If someone types in their user information, they should be automatically logged into their account by a bot and possibly not even notice anything suspicious.

This is not a virus that could infect anyone’s device, or harm their files. Nor would an antivirus program protect against this type of scam. Besides, if 2-factor authentication is activated, the account should be safe.

The Nasty List attack is dangerous to people who use the same username and password for other accounts. This is a real threat to people’s security, with various polls finding that majority of people reuse the same password for multiple or even all accounts. Having only one of their passwords stolen can cause problems — if not immediately, perhaps a few months later, when the login information is used to get into their accounts on other websites.

Stolen usernames, passwords, and email addresses can be sold to online criminals, who then try to use the info for credential stuffing — a type of cyberattack. The cybercriminals try to log into online stores or any other websites where they could get their hands on more personal information, including credit card data. After all, what cybercriminals are trying to do is make money.

This is why privacy, password security, and 2-factor authentication are so important — as well as constant vigilance online.

What people who have been caught by the scam can do is change their password — not just on Instagram, but on other sites. And change it regularly. Some websites do not inform their users when their security is breached and user data is leaked, whether to avoid negative press, or because they just do not notice the event. Even though total privacy seems impossible, we can try to stay one step ahead of the hackers.

We have an article about the various Instagram viruses, scams and attacks here — Instagram Virus.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments