A new Instagram phishing campaign is currently wreaking havoc around the world. In the new scam, cybercriminals are trying to compromise the accounts of users of the popular social media platform. Here, the potential victims are lured with an offer for a blue hook, which are highly coveted: They are only given to accounts that have been verified as authentic and represent a public figure, celebrity or brand. The spearphishing emails in the recently observed campaign inform recipients that Instagram has verified their accounts and they are eligible for a blue badge. The threat actor is banking this campaign on the carelessness and enthusiasm of Instagram users when confronted with the opportunity to improve their social account status.

“The scam was first discovered in late July and exploits Instagram’s coveted verification programme to trick victims into revealing personal information and account details,” writes Vadesecure. “The attacks target specific users of the social media platform, making them more sophisticated than other phishing campaigns, most of which launch indiscriminate attacks on a variety of victims.”

Technical background of the phishing campaign

In this sophisticated attack method, the phishing emails use the subject line “ig bluebadge info” and the name “ig-badges”. The text then explains that the victim’s Instagram profile has been checked and is eligible for verification. The Instagram and Facebook logos in the header and footer of the email give the appearance of legitimacy. In fact, attentive users can nevertheless recognise some inconsistencies and features of social engineering techniques in the emails. Various signs clearly point to a classic case of phishing, e.g. grammatical errors and typos appear more frequently in the text – the usual careless mistakes made by fraudsters.

Effective security measures

To protect one’s organisation from such dangers, KnowBe4’s security experts recommend offering security awareness training so that users learn to recognise the typical signs of social engineering attacks. “The most effective measure to prevent such attacks is to establish comprehensive security awareness training for employees,” says Jelle Wieringa, Security Awareness Advocate at KnowBe4. “Basically, this involves using simulated phishing mails to test how alert employees are. The aim of the training is to increase awareness of the dangers and the recognition of such attacks. The number of successful phishing attacks on the company can be greatly reduced by such training.

Translated with www.DeepL.com/Translator (free version)