Hackers are stealing Instagram credentials through a campaign promising users a verification badge.

Reported by Luke Leal, a security analyst at Sucuri, scammers have found a new method to trick users into providing their Instagram account login credentials with the promise of giving them a “verified” status.

Scammers are using the phishing domain “instagramforbusiness[.]info”, in which users are urged to fill out various forms which targets their login information and requests them to confirm their email address by asking for their email address and password credentials.

Once the form is submitted the information is sent via email to the hackers – thus providing them with unauthorised access to the victim’s Instagram page. Often Instagram uses a variety of methods to determine suspicious account logins including fingerprinting – to which if suspicious activity is detected the account will be locked down with a warning.

To avoid this lockdown, attackers need either access to the phone number used to register the account or access to the email address. Thus why the phishing page requests email login information.

Leal listed the giveaway signs that a phishing page is malicious, one of which is that the domain name is not “instagram.com”, secondly there isn’t a “https”, and finally Instagram will never ask for the password of a linked email account as confirmation.

“The lure of a social media verification checkmark symbol works great to entice unsuspecting victims. This is similar to the lure of “free” (i.e nulled, cracked) products, like premium WordPress plugins or themes.

“As a rule of thumb, you should always verify the links you are clicking on and ensure that you are only submitting personal information on legitimate websites. Malicious users are actively looking for a chance to deceive their victims with phishing campaigns. Stay safe online!”

A spokesperson from Instagram told Threatpost:

“If we’re ever making an effort to contact you about an issue related to your account, we will notify you within the Instagram app in addition to other avenues.

“If you receive an email or another type of notification (text, etc.) that seems suspicious, you can open the Instagram app to check if you’ve gotten a notification about anything there. For extra security, we advise members of the Instagram community to ensure two-factor authentication is in place.”

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.


GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/


comments powered by Disqus