Phishers stealing Instagram credentials by offering the verification badge
Threats / Phishers stealing Instagram credentials by offering the verification badge
1 July 2019
Security researchers have unearthed a new phishing scam that involves phishers obtaining login credentials of Instagram users by offering them the verified blue tick badge on the social media platform.
The “blue tick” verification badge on popular social media platform Instagram is not only a great way to brand an account as one belonging to “a notable public figure, celebrity, or global brand”, but also helps fans of pupular actors, musicians, politicians, or global figures to separate genuine accounts of their stars from imposter accounts.
Considering that Instagram now has over a billion users from across the globe and serves as a powerful platform for celebrities and public figures to distribute content, there is a great demand for the “blue tick” verification badge all over the world.
Instagram itself offers users a way to apply for the verification badge to get their accounts branded as verified and genuine. The “Request Verification” tab is located in the “Settings” section in a user’s profile page and can be navigated to in seconds. Once a user submits a request, the application is reviewed by an Instagram team before it is accepted or denied.
Phishing scam luring people to share their Instagram credentials
However, many people who have a presence on Instagram are not aware of the feature even though many of them crave the verification badge that confirms their status as a notable public figure or celebrity. This lack of awareness has resulted in fraudsters gaining access to users’ Instagram credentials by luring them with a way to obtain the “blue tick” verification badge.
Security researchers at Securi recently observed the presence of a phishing scam that involves fraudsters using a website named instagramforbusiness.info to lure people into filling in their Instagram account details, credentials, and associated email addresses in exchange for obtaining the verification badge.
The website features Instagram’s logo, provides a detailed description of why Instagram verifies certain individuals (to prevent impersonation), and features a tab named “Apply Now” which visitors are required to tap to apply for a verification badge.
“After clicking Apply Now, it begins a series of phishing forms on the phishing domain instagramforbusiness[.]info. This form targets the victim’s Instagram login information and then asks them to confirm their email address…by asking for their email address and password credentials,” wrote researcher Luke Leal in a blog post.
“After submitting each form, the login information is sent via email to the hackers. This provides them with unauthorized access to the victim’s social media page. Instagram employs fingerprinting and a variety of other methods to determine suspicious account logins. If detected, they lock down the account with a “Suspicious Login Attempt” warning.
In order to avoid this account lockdown, attackers need one of two things: access to the phone number used to register the account (if applicable as Instagram doesn’t require a phone number for signup) or access to the email address associated with the profile. This explains why hackers also target associated email login information on this phishing page. It allows them to reset and verify ownership of the phished Instagram account should the “Suspicious Login Attempt” warning be triggered,” he added.
How can Internet users spot phishing websites?
Leal said that in order to avoid being defrauded by such scams, Internet users should only trust the domain “Instagram.com”, should check for HTTPS to verify the security credentials of a website before entering login information, and should know that Instagram will never ask for a linked email account’s password as confirmation.
Commenting on the arrival of the new phishing scam (which isn’t surprising), Corin Imai, senior security advisor at DomainTools, said that this scam yet the latest demonstration of how good cybercriminals have become at identifying and exploiting trends.
“Phishing scams are often socially engineered to either scare the recipient into taking an immediate action, such as clicking on a link or downloading an attachment, or to steal user credentials with the promise of something appealing, such as a free phone or, indeed, a “verified” blue checkmark on Instagram.
“Users should always remember to check that the URL of the webpage that they are visiting corresponds to that of the website they intend to access, and should type the address manually rather than follow a link received via email or via direct message.
“It is worth spending a little more time validating the legitimacy of a website before submitting any personal information. To further protect online accounts, multi-factor authentication should be enabled wherever possible,” she added.