UPDATE
A new Instagram phishing scam circulating the internet lures victims in with promises of exclusive “verified account” status – and then makes away with their personal information.
The scam centers around Instagram’s labeling of verified accounts, which indicates that the account user is a public figure, celebrity or global brand with blue checkmark. The exclusive status is highly desirable for Instagram users – and scammers are looking to take advantage of that with a new phishing scam aimed at the social media users, according to researchers.
“The lure of a social media verification checkmark symbol works great to entice unsuspecting victims. This is similar to the lure of ‘free’ (i.e nulled, cracked) products, like premium WordPress plugins or themes,” said researchers with Sucuri in a Wednesday post.
Luke Leal, researcher with Sucuri, told Threatpost that he believes the scam was being distributed through Instagram. The phishing page has been reported and removed, he said.
Researchers became aware of the scam when they recently came across a phishing landing page that capitalizes on this scam. The page masquerades as a real Instagram verification submission page, prompting victims to apply for verification.
After clicking the “Apply Now” button, victims are led to a series of phishing forms on the domain Instagramforbusiness[.]info, asking for their Instagram login information and for confirmation of their email and password credentials.
After submitting each form, this login information is sent via email to hackers, researchers said, providing them with unauthorized access to victims’ social media pages.
Instagram does employ several anti-fraud tactics to sniff out suspicious logins into accounts. For instance, if a suspicious login occurs, Instagram detects it via fingerprinting (where data is collected to produce a single, unique identifier to track users without any actual identifier persistence on the user’s machine) and asks account user to provide his login information.
However, because this phishing scam targets the associated email login data, hackers in this case scenario can reset and verify ownership of the victims’ account.
That said, there are a variety of ways that users can detect the scam, researchers said.
For one, the domain name of the phishing landing page (Instagramforbusiness.info) is clearly not affiliated with Instagram.com, though it does have “Instagram” in it. Also, the web page does not utilize the HTTPS internet communication protocol, indicating that it is not secure.
Furthermore, in actuality, the page looks nothing like the legitimate account verification process. In order to verify their accounts, Instagram users should go into their own account settings and click on “Request on Verification” and will not be asked for their email or password.
“Instagram will never ask for a linked email account’s password as confirmation,” researchers said. “It will use the standard method of sending an email with a verification link for you to click.”
Researchers said that social media is becoming a bigger threat surface for scammers to launch attacks – hackers have tried to steal Facebook credentials by faking social login prompts, or used social media platforms to pretend to be celebrities and bilk victims out of money.
“Phishing attacks against social media accounts continue to increase for a few different reasons, namely for its large user base and the potential source of personal information that can be stored on social media accounts (e.g date of birth, first + last name, general location, phone number, email address) and this personal information can then be used for further malicious activity while the victim is unaware and just thinks their social media account was stolen,” Leal told Threatpost.
An Instagram spokesperson told Threatpost that they always advise users to be wary of any communication alleging to come from Instagram.
“If we’re ever making an effort to contact you about an issue related to your account, we will notify you within the Instagram app in addition to other avenues,” said the spokesperson. “If you receive an email or another type of notification (text, etc.) that seems suspicious, you can open the Instagram app to check if you’ve gotten a notification about anything there. For extra security, we advise members of the Instagram community to ensure two-factor authentication is in place.”
This article was updated on June 28 at 8:40 am with additional comments from Instagram.