New social media phishing campaign: scammers exploit Instagram verification programme

September 11, 2022

A new Instagram phishing campaign is currently wreaking havoc around the world. In the new scam, cybercriminals are trying to compromise the accounts of users of the popular social media platform. Here, the potential victims are lured with an offer for a blue hook, which are highly coveted: They are only given to accounts that have been verified as authentic and represent a public figure, celebrity or brand. The spearphishing emails in the recently observed campaign inform recipients that Instagram has verified their accounts and they are eligible for a blue badge. The threat actor is banking this campaign on the carelessness and enthusiasm of Instagram users when confronted with the opportunity to improve their social account status.

“The scam was first discovered in late July and exploits Instagram’s coveted verification programme to trick victims into revealing personal information and account details,” writes Vadesecure. “The attacks target specific users of the social media platform, making them more sophisticated than other phishing campaigns, most of which launch indiscriminate attacks on a variety of victims.”

Technical background of the phishing campaign

In this sophisticated attack method, the phishing emails use the subject line “ig bluebadge info” and the name “ig-badges”. The text then explains that the victim’s Instagram profile has been checked and is eligible for verification. The Instagram and Facebook logos in the header and footer of the email give the appearance of legitimacy. In fact, attentive users can nevertheless recognise some inconsistencies and features of social engineering techniques in the emails. Various signs clearly point to a classic case of phishing, e.g. grammatical errors and typos appear more frequently in the text – the usual careless mistakes made by fraudsters.

Effective security measures

To protect one’s organisation from such dangers, KnowBe4’s security experts recommend offering security awareness training so that users learn to recognise the typical signs of social engineering attacks. “The most effective measure to prevent such attacks is to establish comprehensive security awareness training for employees,” says Jelle Wieringa, Security Awareness Advocate at KnowBe4. “Basically, this involves using simulated phishing mails to test how alert employees are. The aim of the training is to increase awareness of the dangers and the recognition of such attacks. The number of successful phishing attacks on the company can be greatly reduced by such training.

Translated with (free version)

Related Articles

Infineon: Roadmap for power supply units in AI data centers

Infineon: Roadmap for power supply units in AI data centers

Artificial intelligence leads to increasing energy demand of data centers worldwide Infineon’s new Power Supply Units (PSU) strengthen its leading position in AI power supply based on Si, SiC and GaN Operators of AI data centers benefit from the world's first 12 kW...

SITA unveils latest evolution in total airport management

SITA unveils latest evolution in total airport management

Launch of the new AI-powered platform follows a successful demonstration in 2023 with Canada’s Greater Toronto Airports Authority SITA, a leading technology company in the air transport industry, has launched its trailblazing airport management tool, the SITA Airport...

Share This