An Instagram phishing campaign attempting to scam users by offering blue badges has emerged. Verified accounts that represent a public figure, celebrity, or brand receive blue badges from the big social media platforms.
Attackers take advantage of Instagram’s highly sought-after verification program to harvest user credential
A spear-phishing email informs recipients that Instagram has reviewed their accounts and identified them as eligible for a blue badge.
The new attack was spotted by threat analysts at Vade, an AI-based email security service, who reported that the first messages to targets were sent out on July 22.
During the deployment, email distribution volumes spiked twice, once on July 28 and again on August 9, 2022, with more than 1,000 phishing messages per day.
The messages feature Instagram and Facebook logos and inform the recipient that their account is eligible for a blue badge, urging them to click on an embedded button that would take them to the relevant submission form.
Those who fall for the scam are encouraged to fill out a form and claim their badges. The message warned users that if they ignore the message, the form will be permanently deleted in 48 hours, creating a sense of urgency and the illusion of a limited opportunity.
- The phishing form is hosted on a domain named “teamcorrectionbadges”, suggesting Instagram uses a separate, dedicated domain to verify users.
- The phishing process is dependent on a three-stage form, each step showing Instagram and other social media platform logos to create a sense of legitimacy.
- On the first form – the victim must enter their username.
- On the second – their name, email, and phone number.
- And on the third – they must enter their password, to prove their ownership of the account.
- Once the victim completes the process, a message informs them that their account is now verified and that the Instagram team will contact them in the next two days.
- The final step involves presenting a fake case ID to the victims.
To protect yourself from these type of attack you need to know how actually Instagram badges work:
- Firstly, the most important thing is that the social media platform will never contact you offering a blue badge. Users can only get it by applying themselves.
- Applying for verification is only possible through the official platform, never by visiting a separate domain.
- Instagram blue badges are reserved for notable(Your account must represent a well-known, highly searched for person, brand or entity) public figures, celebrities, and brands, so regular accounts aren’t eligible.
- Never authorize any suspicious apps and never use bots such as auto-follow services that promise to increase follower accounts or add comments to posts.
- Keep the 2-step verification always turned on. It will prevent the hackers from accessing your account even if they know the password.
- The best thing you have to do if you receive any email regarding blue badge verification is don’t click anything in it and delete it as fast as possible.
Phishing emails frequently target social media users, and the recent Instagram campaign targeted the carelessness and enthusiasm of users when lured with the opportunity to upgrade their social account status. As an added security measure, Instagram offers two-factor authentication for your account.