Scammers Use Instagram's 'Verified Account' Status to Steal Users' Credentials

Instagram Verified Account Phishing

What do the (usually) blue tick badges placed next to the names of some Instagram, Twitter, and Facebook profiles do? Technically, they indicate that the social network has verified the account owner, but for many people, it's about a lot more than that.

For them, the blue tick is a sign that the owner of this account is above the mere mortals. They think that those who are lucky enough to get the verified badge have more impact on the way other people think and act. Consequently, some of the owners of the said badge indeed try to "influence" their followers, and they receive healthy sums of money for endorsing different products.

Because of all this, some users are ready to do quite a lot of things to get the coveted badge on their profile. In fact, a Mashable investigation from a couple of years ago showed us that back then, some Instagrammers were paying thousands of dollars to get the blue checkmark. Imagine what these people would do if they receive an email which tells them that if they click a link, they can get their accounts verified for free. Well, the cybercriminals have already imagined it.

Phishers create a fake Instagram account verification page

Researchers from Sucuri recently stumbled upon a phishing page designed to trick victims into thinking that they are about to have their Instagram accounts verified. Although Sucuri didn't explicitly say how the scam propagates, this type of activity usually involves unsolicited emails, which means that if you find a link that leads to http://instagramforbusiness[.]info in your inbox, you're better off deleting the message.

The criminals have done their homework and have created a web page that looks remarkably close to the original. The first thing victims see is a landing page that has some information on what verifying an account means. There's an "Apply Now" button which leads to a login form that is again pretty much identical to the real thing.

The crooks want to phish victims' email credentials as well

The Instagram login credentials the victims enter on the phishing page are automatically emailed to the crooks. Often, however, these are not enough to hijack an account. The selfie-sharing social network has a Suspicious Login mechanism that can lock down your profile if it senses unusual activity around it. In such cases, regaining access to your account happens with the help of either your phone number or the email address associated with your Instagram profile.

The crooks want to ensure that even if they trigger the Suspicious Login lockdown system, they will still be able to hijack your account, which is why they try to get access to your email inbox. After you enter your Instagram login credentials, the phishing page tells you that you need to "confirm your email". Doing this involves giving away not only your email address but also your email password.

There are more than a few things that can tip you off

The phishers do seem to be pushing their luck a bit. Social networks like Instagram will never ask you for your email password. In fact, if a website that's not connected to your email provider requests it, you should probably walk away immediately. We can only hope that most of you are aware of this, but even if you aren't, there are a few other things that will hopefully set off some warning lights.

The domain name, while close to the original, doesn't belong to Instagram, and confirming this is a matter of a quick Whois search. The phishing page is served over HTTP rather than HTTPS, and modern browsers show visible warnings about this every time you move the cursor to the username and password fields.

Last but not least, users should realize that the verified badge isn't a vanity object that makes some people more prominent than others. It's a way of showing which accounts represent the views and opinions of major brands and celebrities and which ones are trying to impersonate or parody them. Instagram won't verify your account unless you have a large following or you've somehow managed to come to prominence. Even if that's the case, you (or your agent) might be forced to ask politely for the badge, and there's no guarantee that you'll get it.

Unless you really need it, you should probably focus on enjoying Instagram without it. As you can see, it can save you quite a lot of headaches.

July 2, 2019

Leave a Reply