There is always something going viral on Instagram, that’s the beauty of this particular social sharing platform. Unfortunately, the latest Instagram craze is more viral than is healthy. The Nasty List is actually a login credential stealer.
What is the Nasty List?
The Nasty List phenomenon seems to have started earlier this week. It first came to my attention when a Reddit user asked if anyone else was having a problem with the Instagram Nasty List. “I logged onto Instagram yesterday and I had a dm from my sister. It said I was in some kind of Nasty List” the Reddit user by the name of molecularwolf explained, continuing “Well I had just woken up and I was kind of out of it so I clicked on it because I was curious. I then realized that it was probably a virus, but too late, I had already clicked.”
The scam works by using compromised accounts to send messages to followers that express shock at them being on the Instagram Nasty List. You can find examples of Nasty List message formats at Bleeping Computer, but these usually start with something like “OMG your (sic) actually on here at number 38” or “WOW. Your (sic) on here!!! ranked 100.” The messages all include a link to the full Nasty List and provide an explanation of why the user is on it. This lands at a convincing looking, but fake, Instagram login page.
What happens next?
If you fail to spot that the URL for the login page is incorrect, as is highly likely as you just want to see why you are on this list, then your login credentials will be scraped. Armed with your now compromised Instagram username and password, the hackers will use this account access to continue distributing the Nasty List messages. They will also, of course, have control of your Instagram account and all that brings with it! What the people behind the Nasty List plan to do with all these compromised Instagram accounts remains to be seen. However, I would be surprised if there isn’t a botnet of some kind waiting to make good use of them by way of spamming campaigns or malware distribution.
What to do if you’ve already clicked on the Nasty List link
Your course of action to recover control of your account will depend on whether the hacker has already changed the email address and phone number associated with it. If they have not, then go to Settings > Privacy and Security > Password and follow the procedure to change your password. If the hackers have already changed your details then you will need to follow the Instagram process for regaining control of a hacked account. You can find full instructions for this here.
What else should you do?
If you are not already using two-factor authentication (2FA) then I recommend you do this immediately. This is a very simple process that will work with apps such as Google Authenticator. Sure, it will add a few seconds to your login time when you use a different device to usual, but it will also prevent scams such as the Nasty List from being able to get control of your account. Full instructions for enabling Instagram 2FA can be found here.