Threat Analysis

Instagram Phishing Campaign: Hackers Exploit Social Verification

Todd Stansfield

September 01, 2022

13 min

A new Instagram phishing campaign has surfaced recently. First discovered by Vade in late July, the scam exploits Instagram’s highly sought-after verification program to dupe victims into divulging personal information and account credentials. The malicious attack targets specific users of the social media platform, showing more sophistication than other phishing campaigns that pursue victims indiscriminately.

The phishing email uses the subject line, “ig bluebadge info” and the name, “ig-badges.” The body text explains that the victim’s Instagram profile has been reviewed and deemed eligible for verification. The Instagram and Facebook logos at the header and footer of the email attempt to create an air of legitimacy, as does the use of the victim’s actual Instagram handle, showing the hackers researched their target before the attack.

Insta phishingInstagram phishing email

The hackers hope these tactics disguise the signs of a phishing scam, including the context of the email. Instagram relies on users to apply for the touted blue badge and doesn’t contact them directly. And the company reserves verification for public figures and celebrities, not average users.

Closer examination reveals the email comes from an IP address in Turkey, as shown below.

Insta phishing 2Sender’s IP address

Insta phishing 3Sender’s IP address

Other signs suggest a classic case of phishing. Grammatical errors and typos appear several times in the text—the common calling card of foreign bad actors—including the phrase, “Thanks, you instagram team.” The email also urges prompt action—another hallmark of phishing and spear phishing emails—telling the victim, “if you ignore this message, the form will be permanently deleted within 48 hours.”

Still, the hackers hope the victim overlooks these clues and clicks the blue button, “Badge Form.” When they do, they launch a malicious website with the domain name, “teamcorrectionbadges.”

Insta phishing 4

Instagram phishing domain name

Here, hackers hope the victim assumes Instagram uses a different website than instagram.com to verify users. They again attempt to create the illusion of authenticity by displaying the brand colors of Instagram and the logo of its parent company, Meta. They also make several grammatical mistakes.

Insta phishing 5Instagram phishing form 1

The form prompts the victim to enter their Instagram handle. Once they submit this information, the webpage refreshes to display the entry along with multiple fields for the victim’s name, email, and phone number, as shown below.

Insta phishing 6

Instagram phishing form 2

After the user submits this information, the webpage refreshes to display another field for the victim’s password.

Insta phishing 7

Once the victim enters and submits their account credentials, the webpage again updates, this time displaying a confirmation message, “Thank you for verifying your account. Our team will contact you as soon as possible. (Average 48 hours).”

Insta phishing 8

Instagram phishing form 4

The Instagram phishing campaign began on July 22, 2022, with email volumes reaching up to more than 1,000 per day on two occasions. At this time, the malicious campaign appears to be small in scale, which would support the targeted nature of attacks.

Insta phishing 9

Instagram phishing email volumes

Instagram phishing scam exploits the demand for social status

Social media outlets like Instagram and Facebook provide phishers effective platforms for phishing, arming them with a wealth of information about their soon-to-be-victims. Our recent Phisher’s Favorite Report confirms this reality, revealing that social media brands account for the fourth most phishing URLs of any industry, with Facebook taking second place among the most impersonated brands.

Insta phishing 10

Phishing volumes by industry for H1 2022

While phishers have incentive to impersonate social media brands, they find added value in exploiting the demand for social verification. Many people prize the Instagram blue badge for the social status it conveys, which may cloud their judgement when presented with the opportunity to obtain it. Social verification also remains a mysterious and misunderstood process, known only to the social platforms that control it. This makes victims more likely to trust emails and websites developed by malicious third parties.

New call-to-action

Verification scams like this Instagram phishing campaign continue to make headlines year-after-year, a trend certain to continue. Still, you can avoid becoming a victim by adopting practices consistent with good cyber hygiene. Acknowledge that phishers can spoof any email, so take caution when opening one. Log in to your social media accounts directly through a separate browser and never from email. And look for the common signs of phishing scams, including urgency and spelling and grammatical mistakes.

Download eBook to see the phishing statistics and trends that defined 2021