Thousands lured with blue badges in Instagram phishing attack
A new Instagram phishing campaign is underway, attempting to scam users of the popular social media platform by luring them with a blue-badge offer.
Blue badges are highly coveted as Instagram provides them to accounts it verified to be authentic, representing a public figure, celebrity, or brand.
The spear emails in the recently observed phishing campaign inform recipients that they Instagram reviewed their accounts and deemed them eligible for a blue badge.
Users falling for the scam are urged to fill out a form and claim their verification badge in the next 48 hours.
While the campaign shows signs of fraud, the threat actor bets on the carelessness and enthusiasm Instagram users have when faced with the opportunity to upgrade the status of their social account.
The new campaign was spotted by threat analysts at Vade, an AI-based email security service, who reported that the first messages to targets were sent out on July 22. During the deployment, email distribution volumes spiked twice, once on July 28 and again on August 9, 2022, with more than 1,000 phishing messages per day. The messages feature Instagram and Facebook logos and inform the recipient that their account is eligible for a blue badge, urging them to click on an embedded button that would take them to the relevant submission form.
The users are warned that if they ignore the message, the form will be permanently deleted in 48 hours, creating a sense of urgency and the illusion of a limited opportunity. The phishing form is hosted on a domain named “teamcorrectionbadges”, to make it appear as if Instagram uses a separate, dedicated domain to verify users. The phishing process on that site relies on a three-stage form, each step showing Instagram, Facebook, WhatsApp, Messenger, and Meta logos, in an attempt to create a sense of legitimacy.
To understand how you can protect yourself from these scams, it is essential to know how Instagram’s verification program actually works. First, the social media platform will never contact you offering a blue badge. Users can only get it by applying themselves. Secondly, applying for verification is only possible through the official platform, never by visiting a separate domain. Thirdly, Instagram blue badges are reserved for notable public figures, celebrities, and brands, so regular accounts aren’t eligible.
Phishing actors have been taking advantage of the vanity that characterizes many Instagram users. Campaigns targeting social media users with phishing emails are very popular and are not limited to Instagram.
With thanks to the Cyber Defence Alliance and Bleeping Computer. The full story is here: https://www.bleepingcomputer.com/news/security/thousands-lured-with-blue-badges-in-instagram-phishing-attack/
Don’t get hacked by social media phishing attacks!
Many of your users are active on Facebook, LinkedIn, and Twitter. Cybercriminals use these platforms to scrape profile information of your users and organization to create targeted spear phishing campaigns in an attempt to hijack accounts, damage your organization’s reputation, or gain access to your network.
KnowBe4’s Social Media Phishing Test is a complimentary IT security tool that helps you identify which users in your organization are vulnerable to these types of phishing attacks that could put your users and organization at risk.
Here’s how the Social Media Phishing Test works:
- Immediately start your test with your choice of three social media phishing templates
- Choose the corresponding landing page your users see after they click
- Show users which red flags they missed or send them to a fake login page
- Get a PDF emailed to you in 24 hours with your percentage of clicks and data entered
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/social-media-phishing-test-partner?partnerid=001a000001lWEoJAAW