Instagram users have been targeted with a new phishing scam that pretends to offer verified badges as a way to trick them into disclosing their login credentials.
Instagram's verified badge is highly sought after and is typically offered to celebrities, influencers, public figures, and major brands on the platform. The verification badge can make a huge difference to users as it adds legitimacy to their account and can lead to sponsorship or other business opportunities.
Hackers know just how coveted these blue badges have become and they’ve been able to use this as an effective lure for their phishing scam.
Victims have received emails claiming to be from the ‘Instagram Verify Team’, offering them the chance to apply for a verified check mark. In order to receive their badge, they are asked to verify their account and submit their personal details.
Image: Instagram Phishing Email (Source – Trend Micro)
Once the user clicks the ‘Verify Account’ button, they are redirected through to a phishing page that asks for their email address, username, date of birth, phone number as well as their password.
As soon as they submit this information, a badge notification briefly appears which gives the user the impression that their profile has been verified.
Unfortunately, no such verification has taken place and as soon as the attackers gain control of the victim’s Instagram account, the extortion attempts begin. Hackers threaten to delete the user’s profile unless the victim pays a ransom or sends nude photos or videos.
Researchers at Trend Micro have reported cases of Instagram accounts with between 15,000 and 70,000 followers being hacked and never retrieved. Victims of the scam have ranged from famous actors and singers to owners of small businesses.
At this stage, it’s unclear just exactly who’s behind the campaign, however initial analysis points to a group of Turkish speaking Hackers.
Instagram issued a statement warning its users to be wary of any communication alleging to be from the company: "We will never proactively email you about verification, and we will certainly never attempt to sell you verification. Beyond ads, Instagram does not sell any products or services and will not make any offers to you via email".
To protect yourself from falling victim to these types of phishing scams, never click on suspicious links or download attachments from unknown sources. Other signs to look out for include; poor grammar, a mismatched URL, threatening or urgent language, claims of prizes or a request for personal information. It’s also advisable to activate two-factor authentication on all your social media accounts to add an extra layer of security.
Our award winning MetaPhish solution provides a powerful defence against phishing and ransomware attacks. Contact us for further information on how we can help protect your business from this growing threat.