Threat actors take advantage of Instagram’s highly sought-after verification program to harvest user credentials.
Cybersecurity company Vade discovered a sophisticated and targeted phishing campaign designed to lure Instagram users into a trap and harvest their personal information and account credentials.
It all starts with an email saying that your Instagram account has been reviewed and deemed eligible for verification. As is usual with phishing emails, grammatical errors and typos give the threat actors away. The email also urges prompt action – another sign giving away a scammer.
Malicious hackers, of course, hope that victims will overlook the telltale signs of a scam and click on the “Badge Form.” Upon clicking on the link, victims are redirected to a malicious website.
“Here, hackers hope the victim assumes Instagram uses a different website than instagram.com to verify users. They again attempt to create the illusion of authenticity by displaying the brand colors of Instagram and the logo of its parent company, Meta. They also make several grammatical mistakes,” Vade explained.
The website prompts users to enter data needed for verification: Instagram handle, victim’s name, email, phone number, and, eventually, password. After the user submits that information, the website displays a benign-looking message, saying, “Thank you for verifying your account. Our team will contact you as soon as possible. (Average 48 hours).”
Vade saw this Instagram phishing campaign beginning on July 22, 2022, with email volumes reaching up to more than 1,000 per day on two occasions.
“At this time, the malicious campaign appears to be small in scale, which would support the targeted nature of attacks,” Vade said.
More from Cybernews:
Subscribe to our newsletter