Skip to content
Naked Security Naked Security

Crave that Instagram verified badge? Don’t fall for this login-stealing scam

It's yet another way to trick Instagram users out of their login credentials. Don't fall for it, lest your account be hijacked!

There’s nothing quite like the cachet of that elusive “verified” blue check mark from Instagram.

How you get one is somewhat mysterious, as Forbes’s Tom Ward has found out: it’s not always enough to be famous and have a ton of followers, and it’s not always enough to get a digital agency to submit a request for you.

But here’s one sure-fire way not to get that little blue check – that will instead lead to your account credentials getting stolen: scammers are promising to get you a “verified” badge, but when Instagram users fall for the “apply now” come-on, their login credentials are being phished away.

The scam was spotted by security researchers with Sucuri. One of the researchers, Luke Leal, said in a post last week that they recently came across a page that was spoofing a real Instagram Verification submission page.

Verily, do not click that verification come-on

The researchers said that after clicking on the Apply Now button, the page threw up a series of phishing forms that were hosted on the phishing domain instagramforbusiness[.]info. Then, the forms asked victims for their Instagram login information: it instructed its intended victims to confirm their email addresses, as well as their passwords.

After the phishing page got the credentials, they were emailed to the scammers, enabling hackers to take over their victims’ accounts – thus adding to the pile of hijacked accounts that just keeps growing.

Leal notes that Instagram has ways to sniff out suspicious account logins. If it finds such, it responds by locking down an account with a ‘Suspicious Login Attempt’ warning.

There are ways for attackers to get around that, though, Leal said. Hackers just need one of two things: access to the phone number used to register the account (if applicable, since Instagram doesn’t require a phone number for signup) or access to the email address associated with the profile.

That’s why the phishing page goes after accounts’ associated emails, he said: having the victim’s email enables attackers to reset and verify ownership of the phished Instagram account if the ‘Suspicious Login Attempt’ warning gets triggered.

Don’t let the blue checkmark bedazzle you

Keep in mind that Instagram accounts are a hot commodity these days. With so many crooks hacking accounts away, holding them for ransom or selling them on the dark web, it pays to cast a hairy eyeball on any Instagram-related notice you get, particularly one that asks for your login.

Sucuri notes that there were some clear signs that this page, which has since been reported and removed, was malicious:

  • The domain name is clearly not instagram.com.
  • A lack of HTTPS results in insecure warnings in visitor’s browsers. Big-brand companies like Instagram typically use HTTPS on their websites, especially if they handle login information and other sensitive information.
  • Instagram will never ask for a linked email account’s password as confirmation. It will use the standard method of sending an email with a verification link for you to click.

Another good reason to turn on 2FA

Bear in mind that even if you fall for one of these phishing scams and enter your credentials, you could still be safe – if, that is, you’ve chosen to set up two-factor authentication (2FA) via SMS or an authenticator app. 2FA makes it far more difficult for crooks to wrestle your account away.

2FA can be set up on Instagram by going to your profile and selecting the hamburger icon. Then choose Settings > Privacy and security > Two-factor authentication and follow the instructions on the page.

If there’s a risk that your account has been compromised, you should immediately change your account password, turn on 2FA, and double check to make sure that the email address and phone number associated with the account haven’t been changed.

If you’ve used the same password for Instagram on other online accounts, you should immediately change those, as well.

Make sure you use a unique, strong password for each account – something that password managers can help you with.

6 Comments

Believe it our not… this scam is still going on… i almost fell for it today. Was going to report it to Instagram, however, that;s virtually impossible.. Not sure which frustrated me more… the fact that the hackers thought i was dumb enough to fall for this sophomoric scam or the fact that IG makes it virtually impossible to find a way to report it to them.

It would seem that the IG users could significantly help IG ferret out many of these scams by providing a method of reporting them.

According to Instagram’s “Abuse and Spam” pages, you can report spams and scams by swiping left on a comment (iPhone) or pressing-and-holding on it (Android), which brings up a menu including a speech bubble with an exclamation point (!) in it. Tap on that icon to get at the “Report This Comment” option. For a post, you use the three-dots icon above the post to get at the “Report” option.

How effective it is to submit these reports are I can’t tell you, but the mechanisms for sending them in do exist.

If you don’t have an Instagram account at all then there is an online form you can use for reporting posts. However I couldn’t find an option for “spam or scam” via that form, only for reporting things like self-harm, drug abuse and so on.

I got this message:

Hello, Dear Instagram User!

After reviewing your account with our support team, we found that you met the blue badge requirements.

Due to COVID-19, blue badge applications will be made on whatsapp. Therefore, if you want to apply, fill in the form below.

You must complete the form below to verify that you are the owner of the account to be awarded the blue badge.

The link is unique to you, please do not share it with anyone. After clicking the link, the link will be invalid within 24 hours.

After entering the correct information, we will confirm your application within 24 hours.

Please do not send us a message, by clicking the link you will be asked to provide feedback.

Thank you for your understanding.

Form: [REDACTED URL]

(There may be synchronization problems. If the link does not work, please copy the link and open browser)

Case Number: [REDACTED]

© 𝐈𝐧𝐬𝐭𝐚𝐠𝐫𝐚𝐦 160 𝐈𝐧𝐜, 1601 Willow Road, Menlo Park, CA 94025 USA

This is a scam right?

Thanks!

Hi my account manager has fallen for this scam.

We do not have Two-factor authentication and seems it has been set up by the scammers to stop us getting back into the account.

Can anyone help or recommend something?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?