(Example of the phishing page.)
If you receive an email claiming to offer a verified Instagram badge, it’s a scam designed to learn your password.
Security firm Trend Micro uncovered one such phishing scheme that pretends to offer verified badges as a way to trick victims into typing in their Instagram login credentials.
Trend Micro detailed the scheme in a Thursday report, which traced the malicious activities to a group of Turkish-speaking hackers. The scam involves emails that appear to be from Instagram about offering a “certified badge” with their account. However, to receive the badge, the user must fill out a form, which asks for the email address, username, or phone number they registered with their Instagram account as well as the password.
“Once submitted, a badge notification appears, but for only four seconds,” Trend Micro said in its report. “This is a trick to give users the impression that their profile has been verified.”
But in reality, the hacker has collected all the information they need to break into the victim’s Instagram account and modify it to their liking. The same scam can also try to trick the user into handing over the login credentials to the email address tied to the Instagram account. With such access, the hacker can unleash all kinds of mayhem.
“In one instance, we saw the hacker threatening to delete the account or never return the stolen profile unless the victim pays a ransom or sends nude photos or videos,” Trend Micro said.
The security firm noticed that one affected account had been defaced with the Turkish words “Hesap Ebedi,” which mean “Account Eternal.” Trend Micro searched for the term on the internet, which led its researchers to a Turkish hacking forum about how to manage stolen Instagram accounts.
Instagram’s verified badge is offered to celebrities, public figures, and major brands. That can make the phishing emails an effective lure for Instagram users with thousands of followers.
“We’ve seen cases where owners of Instagram profiles with followers between 15,000 and 70,000 were hacked and were never retrieved. The victims ranged from famous actors and singers to owners of startup businesses like photoshoot equipment rentals,” Trend Micro said without revealing the affected users.
It isn’t clear how many people have been targeted by this particular phishing scheme. But Instagram is a popular target for cybercriminals. Trend Micro posted links to the fake Instagram pages used in the scam, and they remain live. However, Google’s Chrome browser will flag them as deceptive sites.
In response to Trend Micro’s report, Instagram told PCMag: “Be wary of any communication alleging to come from Instagram. We will never proactively email you about verification, and we will certainly never attempt to sell you verification.”
For extra security, the company advises Instagram users to activate the two-factor protection on their account. The security setup can prevent hackers from breaking in even if they learn your password. Anyone logging on must also input a special code generated over your smartphone. You can learn more here.