Since July, hackers with IP addresses in Turkey have used Instagram’s verification process to steal sensitive information from unsuspecting users, according to a new report from Vade.
The company said victims typically receive phishing emails from an “ig-badges” email account that generally has the subject line “ig bluebadge info.”
The email tells the victim that their Instagram profile has been reviewed and “deemed eligible” for verification.
Vade researchers noted that the scam emails have the logos for both Instagram and Facebook at the top and bottom as well as the person’s real Instagram handle, indicating “the hackers researched their target before the attack.”
The emails have a “badge form” link that takes victims to a scam website with insignias for Instagram and Meta — the social media giant’s parent company.
The website asks for a person’s name, phone number, email and Instagram password, telling victims they will be contacted after 48 hours once everything is entered.
“Many people prize the Instagram blue badge for the social status it conveys, which may cloud their judgment when presented with the opportunity to obtain it,” the researchers said.
“Social verification also remains a mysterious and misunderstood process, known only to the social platforms that control it. This makes victims more likely to trust emails and websites developed by malicious third parties.”
Anyone seeking the blue verification badge on Instagram will have to contact the social media company themselves and it will never contact you about verification.
The initial scam emails attempt to pressure victims into offering their information as soon as possible, warning that the verification process will expire within 48 hours.
“The Instagram phishing campaign began on July 22, 2022, with email volumes reaching up to more than 1,000 per day on two occasions. At this time, the malicious campaign appears to be small in scale, which would support the targeted nature of attacks,” Vade researchers said.
The researchers added that social media sites continue to be some of the most popular phishing lures used among scammers and hackers. In the first half of 2022, social media brands accounted for the fourth most phishing URLs of any industry according to Vade’s data.
Facebook was the second most impersonated brand they tracked in the first half of 2022.
Last year, Instagram rolled out a new security feature that will help users secure compromised accounts and kick out hackers. But phishing attacks leveraging the social media site’s popularity have continued.
Security firm SafeBreach said last year that an Iranian threat actor was found targeting people in the U.S. with phishing scams designed to steal Instagram credentials.
In April, Popular NFT company Bored Ape Yacht Club said its Instagram account was hacked and used to share fraudulent phishing sites that allowed the theft of dozens of NFTs worth millions of dollars. The hacker managed to steal about $3 million worth of NFTs from those who fell for the scam.