• Friend's Hacked Instagram Account: A friend messaged to ask for reporting his hacked Instagram account. A few days later, the hacked account messaged the author on Instagram and the author almost forgot the warning.
• Scam Details: At midnight on Friday, the scammers asked the author to vote for "my friend" in a competition with a link and a demand for a confirmation screenshot. The site was hosted on Vercel with a free xxxxx.vercel.app domain. When the author clicked the "Vote with Instagram" button, it led to a faithfully reproduced sign-in screen but no redirect to Instagram. This confirmed it was a scam.
• Who Are They: The message was in the same language as previous chat messages, suggesting they might be from the author's country or using a sophisticated targeting method. After a friend recovered his account, it was found that the scammers were Nigerian nationals using a +234 telephone area code and likely using translated texts.
• Looking at Infrastructure: The phishing site used a Firebase real-time database to stream credentials to their backend, which was a smart setup as data was persisted in the database and on listening machines. There was no way to stop them from getting the credentials as they used streaming. The only way to counter this was to send fake credentials.
• How Many People Fall for This: They didn't set up access control on Firebase, so the author could watch people getting phished. Over a week, there were about 700 distinct login attempts. Most phishing occurred in the early morning or evening. Tech-savvy users were less likely to fall for the simple phishing attempt. The graph showed that users with less complex passwords logged in more often and became aware of the scam quicker. The scammers spread virally through victims' social networks.
• Getting Back at Them: Reporting to Vercel was easy and the site was taken down about 24 hours later. However, they set up the same site again with a slightly altered domain name the next day.