There’s nothing quite like the cachet of that elusive “verified” blue check mark from Instagram.
How you get one is somewhat mysterious, as Forbes’s Tom Ward has found out: it’s not always enough to be famous and have a ton of followers, and it’s not always enough to get a digital agency to submit a request for you.
But here’s one sure-fire way not to get that little blue check – that will instead lead to your account credentials getting stolen: scammers are promising to get you a “verified” badge, but when Instagram users fall for the “apply now” come-on, their login credentials are being phished away.
The scam was spotted by security researchers with Sucuri. One of the researchers, Luke Leal, said in a post last week that they recently came across a page that was spoofing a real Instagram Verification submission page.
Verily, do not click that verification come-on
The researchers said that after clicking on the Apply Now button, the page threw up a series of phishing forms that were hosted on the phishing domain instagramforbusiness[.]info. Then, the forms asked victims for their Instagram login information: it instructed its intended victims to confirm their email addresses, as well as their passwords.
After the phishing page got the credentials, they were emailed to the scammers, enabling hackers to take over their victims’ accounts – thus adding to the pile of hijacked accounts that just keeps growing.
Leal notes that Instagram has ways to sniff out suspicious account logins. If it finds such, it responds by locking down an account with a ‘Suspicious Login Attempt’ warning.
There are ways for attackers to get around that, though, Leal said. Hackers just need one of two things: access to the phone number used to register the account (if applicable, since Instagram doesn’t require a phone number for signup) or access to the email address associated with the profile.
That’s why the phishing page goes after accounts’ associated emails, he said: having the victim’s email enables attackers to reset and verify ownership of the phished Instagram account if the ‘Suspicious Login Attempt’ warning gets triggered.
Don’t let the blue checkmark bedazzle you
Keep in mind that Instagram accounts are a hot commodity these days. With so many crooks hacking accounts away, holding them for ransom or selling them on the dark web, it pays to cast a hairy eyeball on any Instagram-related notice you get, particularly one that asks for your login.
Sucuri notes that there were some clear signs that this page, which has since been reported and removed, was malicious:
- The domain name is clearly not instagram.com.
- A lack of HTTPS results in insecure warnings in visitor’s browsers. Big-brand companies like Instagram typically use HTTPS on their websites, especially if they handle login information and other sensitive information.
- Instagram will never ask for a linked email account’s password as confirmation. It will use the standard method of sending an email with a verification link for you to click.
Another good reason to turn on 2FA
Bear in mind that even if you fall for one of these phishing scams and enter your credentials, you could still be safe – if, that is, you’ve chosen to set up two-factor authentication (2FA) via SMS or an authenticator app. 2FA makes it far more difficult for crooks to wrestle your account away.
2FA can be set up on Instagram by going to your profile and selecting the hamburger icon. Then choose Settings > Privacy and security > Two-factor authentication and follow the instructions on the page.
If there’s a risk that your account has been compromised, you should immediately change your account password, turn on 2FA, and double check to make sure that the email address and phone number associated with the account haven’t been changed.
If you’ve used the same password for Instagram on other online accounts, you should immediately change those, as well.
Make sure you use a unique, strong password for each account – something that password managers can help you with.