A new Instagram phishing campaign is underway, attempting to scam users of the popular social media platform by luring them with a blue-badge offer.
Blue badges are highly coveted as Instagram provides them to accounts it verified to be authentic, representing a public figure, celebrity, or brand.
The spear emails in the recently observed phishing campaign inform recipients that they Instagram reviewed their accounts and deemed them eligible for a blue badge.
Users falling for the scam are urged to fill out a form and claim their verification badge in the next 48 hours.
While the campaign shows signs of fraud, the threat actor bets on the carelessness and enthusiasm Instagram users have when faced with the opportunity to upgrade the status of their social account.
The new campaign was spotted by threat analysts at Vade, an AI-based email security service, who reported that the first messages to targets were sent out on July 22.
During the deployment, email distribution volumes spiked twice, once on July 28 and again on August 9, 2022, with more than 1,000 phishing messages per day.
Phishing messages sent to Instagram users (Vade)
The messages feature Instagram and Facebook logos and inform the recipient that their account is eligible for a blue badge, urging them to click on an embedded button that would take them to the relevant submission form.
Sample of the phishing email (Vade)
The users are warned that if they ignore the message, the form will be permanently deleted in 48 hours, creating a sense of urgency and the illusion of a limited opportunity.
The phishing form is hosted on a domain named “teamcorrectionbadges”, to make it appear as if Instagram uses a separate, dedicated domain to verify users.
The phishing process on that site relies on a three-stage form, each step showing Instagram, Facebook, WhatsApp, Messenger, and Meta logos, in an attempt to create a sense of legitimacy.
The second step in the phishing process
The first form requests “username”, the second asks the victim to enter “name”, “email”, and “phone number”, while the third and final step requests entering the user “password”, to supposedly verify that they own the account.
Once the victim completes the process, a message informs them that their account is now verified and that the Instagram team will contact them in the next two days. A phony case ID is also presented at this final step.
Message seen after getting phished (Vade)
How Instagram badges work
To understand how you can protect yourself from these scams, it is essential to know how Instagram’s verification program actually works.
First, the social media platform will never contact you offering a blue badge. Users can only get it by applying themselves.
Secondly, applying for verification is only possible through the official platform, never by visiting a separate domain.
Thirdly, Instagram blue badges are reserved for notable public figures, celebrities, and brands, so regular accounts aren’t eligible.
Phishing actors have been taking advantage of the vanity that characterizes many Instagram users.
Campaigns targeting social media users with phishing emails are very popular and are not limited to Instagram.
To safeguard your account, Instagram offers two-factor authentication for additional security, so even if you give away all your details to phishing actors, losing access to your account would be more complicated.