Instagram Phishing Campaign: Hackers Exploit Social Verification

A new Instagram phishing campaign has surfaced recently. First discovered by Hornetsecurity in late July, the scam exploits Instagram’s highly sought-after verification program to dupe victims into divulging personal information and account credentials. The malicious attack targets specific users of the social media platform, showing more sophistication than other phishing campaigns that pursue victims indiscriminately.

The phishing email uses the subject line, “ig bluebadge info” and the name, “ig-badges.” The body text explains that the victim’s Instagram profile has been reviewed and deemed eligible for verification. The Instagram and Facebook logos at the header and footer of the email attempt to create an air of legitimacy, as does the use of the victim’s actual Instagram handle, showing the hackers researched their target before the attack.

Read our blog series on Logo Detection with computer vision.

The hackers hope these tactics disguise the signs of a phishing scam, including the context of the email. Instagram relies on users to apply for the touted blue badge and doesn’t contact them directly. And the company reserves verification for public figures and celebrities, not average users.

Closer examination reveals the email comes from an IP address in Turkey, as shown below:

Other signs suggest a classic case of phishing. Grammatical errors and typos appear several times in the text—the common calling card of foreign bad actors—including the phrase, “Thanks, you instagram team.” The email also urges prompt action—another hallmark of phishing and spear phishing emails—telling the victim, “if you ignore this message, the form will be permanently deleted within 48 hours.”

Still, the hackers hope the victim overlooks these clues and clicks the blue button, “Badge Form.” When they do, they launch a malicious website with the domain name, “teamcorrectionbadges.”

Here, hackers hope the victim assumes Instagram uses a different website than instagram.com to verify users. They again attempt to create the illusion of authenticity by displaying the brand colors of Instagram and the logo of its parent company, Meta. They also make several grammatical mistakes.

The form prompts the victim to enter their Instagram handle. Once they submit this information, the webpage refreshes to display the entry along with multiple fields for the victim’s name, email, and phone number, as shown below.

After the user submits this information, the webpage refreshes to display another field for the victim’s password.

Once the victim enters and submits their account credentials, the webpage again updates, this time displaying a confirmation message, “Thank you for verifying your account. Our team will contact you as soon as possible. (Average 48 hours).”

The Instagram phishing campaign began on July 22, 2022, with email volumes reaching up to more than 1,000 per day on two occasions. At this time, the malicious campaign appears to be small in scale, which would support the targeted nature of attacks.

Instagram phishing scam exploits the demand for social status

Instagram and Facebook provide phishers with effective platforms for social media phishing, arming them with a wealth of information about their soon-to-be-victims. Social media brands account for the fourth most phishing URLs of any industry, with Facebook taking second place among the most impersonated brands.

While phishers have incentive to impersonate social media brands, they find added value in exploiting the demand for social verification. Many people prize the Instagram blue badge for the social status it conveys, which may cloud their judgement when presented with the opportunity to obtain it. Social verification also remains a mysterious and misunderstood process, known only to the social platforms that control it. This makes victims more likely to trust emails and websites developed by malicious third parties.

Verification scams like this Instagram phishing campaign continue to make headlines year-after-year, a trend certain to continue. Still, you can avoid becoming a victim by adopting practices consistent with good cyber hygiene. Acknowledge that phishers can spoof any email, so take caution when opening one. Log in to your social media accounts directly through a separate browser and never from email. And look for the common signs of phishing scams, including urgency and spelling and grammatical mistakes.