Instagram users are targeted by a new phishing campaign that baits them through a fake offer of blue check badges on their accounts. These blue badges indicate that a user account is an authentic page of a public figure, a brand, or a high-profile personality; thus, many people are interested in obtaining one.
This new campaign involves threat actors sending emails to their targets, informing them that they had been eligible for Instagram blue badges after some reviews. If a victim becomes interested, they must fill in a form from an attached link in the malicious email, claiming that their badges will appear within 48 hours after sending their information.
Many Instagram users have fallen prey to this campaign since they coveted to earn blue badges on their accounts.
Despite some obvious signs of fraud in the phishing emails, several Instagram users have still been victimised by this campaign. The blue check badge on a user account could signify an upgraded and verified status of an individual; thus, such opportunities would blind them to jumping towards the lure.
Security researchers first spotted the phishing messages in this campaign last July 22, stating that over a thousand malicious emails have been sent daily since then. In the message, the recipient is informed about their Instagram account’s eligibility for a blue check badge and urges them to click on an embedded button to fill out a form.
The malicious emails also present a sense of urgency to the recipients, explaining that the form is only available for 48 hours or else it will be deleted and the opportunity for the blue badge will be forfeited. The victims are asked for their username, full name, email address, phone number, and password in the form.
After sending the form, the details are believed to be forwarded to a remote server handled by the threat actors. Meanwhile, another message will be sent to the victim, saying their Instagram account will be verified in the next two days. Unfortunately, the victim’s expectations are in vain, and their user accounts are likely hacked after giving out their credentials.
Users must remember that the Instagram blue badges are exclusively for high-profile brands and personalities and that regular user accounts are mostly not eligible. These badges are also given through self-application and are not offered by any entity, even Instagram.
Suppose hackers have gained your social media credentials through phishing forms. In that case, quickly applying MFA on your accounts would be helpful so that even if anyone has obtained your password, the account will not easily be hacked unless the code has also been given away.
