An Instagram message chain about supposed “copyright infringement” takes advantage of newly registered .ORG domains to steal account passwords.
The messages originate from compromised Instagram accounts that in turn message their contact lists, spreading the odds of the phishing campaign in a viral manner.
The .ORG domains were registered this week or in late January and while they display nothing on the main page, they serve a form made to look like an Instagram login page:
Domain WHOIS data points to a registrant in Turkey; the domains are with Registrar.eu, a reseller of OpenProvider. The domains are hosted on an IP operated by the Microsoft cloud.
Here’s the list of domains perpetrating this phishing campaign on Instagram:
appealformcontacts.org
appealformnotice.org
appealformslive.org
businesscentersappealforms.org
businesscentreappealforms.org
businesscentreforms.org
The following domains are also being used:
businesscenterform.website
igcopyrightappealscenter.com
metacontactcenter.ml
When receiving such messages, do not click on any links. Do not log into your Instagram account form links in messages and typically ignore “dramatic” prompts for infringement and the like; if that were real, Instagram would disable your account in the first place.