Analyzing the uglywall Instagram attack*

Something that came up rather unexpectedly today was an Instagram DM telling me to go to this profile:

—Because apparantly I was on ‘the wall’.

Of course, this meant two things:

  1. The person who sent me the DM got their account hacked.
  2. I would spend the next couple minutes trying to see what attack or scam this was supposed to be because it’s summer and who cares.

So the first thing I did was see where the link led me.

Which was straight back to Instagram with an extra cookie.

I have no idea what the cookie is for. And since I’m paranoid I deleted it. I’m stupid, I just realized that the cf is for Cloudflare.

The next thing to do was obviously whois the domain to see what was up.

Some of the whois sites didn’t give me anything, but some did, and they gave me this:

The domain was apparantly made today and has no useful info.

Even worse, CLoudlfare blocked me when I tried to sneak into the site without being redirected.

However, I still managed to snatch the site by using Httrack and got this:

 

The link led to itself and the page had a constant refresh loop on it.

 

All of the other files I could crawl were just the Cloudflare scripts and css.

Final Verdict: No idea, but it seems harmless and I wasted time doing this and even more time going back to take screenshots for this post.


*Might not be an attack, I just need to be a sensationalist to get clicks

Maybe share so i get views