• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Fake Instagram Verification

Fake Instagram Verification

June 26, 2019Luke Leal

34
SHARES
FacebookTwitterSubscribe

Across various social media platforms there are verification checkmark symbols that appear near the name of the account’s page we view. For example, this verified account indicator seen from our Twitter page:

Verified Social Media Account

These verification checkmarks exist as a credibility indicator to help show authenticity and integrity to social media page visitors.

In order to obtain these checkmark symbols, page owners must meet a list of various requirements and undergo a verification process with their social media provider.

The Quest for Instagram Verification Checkmarks

These strong requirements also lead to a sort of exclusivity around the verification checkmark.

Reportedly only 1% of Instagram users have undergone the verification process. Instagram’s explosion in popularity, along with the exclusivity of the verification checkmark, has led to verification being highly desirable for many users, though this sentiment exists on other social media platforms like Twitter.

I want to be verified on Instagram. I crave that blue check next to my name. Why? Basically because none of my friends are verified, so the verification will prove I’m better than them; which I always suspected.

– A joke by the writer, which showcases the desire many users have for being verified

While the majority of users may want the verification symbol for bragging rights, having the symbol can also help monetize a social media page. This is driving some users to pursue any way possible to obtain the coveted verification checkmark for their profiles.

A Phishing Campaign for Instagram Users

When combined, all of these factors can lead someone to ignore the warning signs and fall victim to phishing attempts. We recently came across this page, which masquerades as a real Instagram Verification submission page:

Verified Instagram Phishing Page

After clicking Apply Now, it begins a series of phishing forms on the phishing domain instagramforbusiness[.]info. This form targets the victim’s Instagram login information and then asks them to confirm their email address…by asking for their email address and password credentials.

Instagram Email Confirmation Phishing

After submitting each form, the login information is sent via email to the hackers. This provides them with unauthorized access to the victim’s social media page. Instagram employs fingerprinting and a variety of other methods to determine suspicious account logins. If detected, they lock down the account with a “Suspicious Login Attempt” warning.

In order to avoid this account lockdown, attackers need one of two things: access to the phone number used to register the account (if applicable as Instagram doesn’t require a phone number for signup) or access to the email address associated with the profile.

This explains why hackers also target associated email login information on this phishing page. It allows them to reset and verify ownership of the phished Instagram account should the “Suspicious Login Attempt” warning be triggered.

Looking for Signs of a Phishing Campaign

Don’t let your situational awareness be lowered by the promise of an exclusive item or status. There were a number of clear signs that this page was malicious:

  • The domain name is clearly not instagram.com.
  • A lack of HTTPS results in insecure warnings in visitor’s browsers. Large websites like Instagram typically display HTTPS, especially when handling login information and other sensitive information.
  • Instagram will never ask for a linked email account’s password as confirmation. It will use the standard method of sending an email with a verification link for you to click.

Conclusion

The lure of a social media verification checkmark symbol works great to entice unsuspecting victims. This is similar to the lure of “free” (i.e nulled, cracked) products, like premium WordPress plugins or themes.

As a rule of thumb, you should always verify the links you are clicking on and ensure that you are only submitting personal information on legitimate websites. Malicious users are actively looking for a chance to deceive their victims with phishing campaigns. If you are looking for a website security solution, we will be happy to help you.

34
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Sucuri, Website SecurityTags: Black Hat Tactics, Phishing

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Get Peace of Mind

2019 Threat Report

WAF Free Trial

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.