Across various social media platforms there are verification checkmark symbols that appear near the name of the account’s page we view. For example, this verified account indicator seen from our Twitter page:
These verification checkmarks exist as a credibility indicator to help show authenticity and integrity to social media page visitors.
In order to obtain these checkmark symbols, page owners must meet a list of various requirements and undergo a verification process with their social media provider.
The Quest for Instagram Verification Checkmarks
These strong requirements also lead to a sort of exclusivity around the verification checkmark.
Reportedly only 1% of Instagram users have undergone the verification process. Instagram’s explosion in popularity, along with the exclusivity of the verification checkmark, has led to verification being highly desirable for many users, though this sentiment exists on other social media platforms like Twitter.
I want to be verified on Instagram. I crave that blue check next to my name. Why? Basically because none of my friends are verified, so the verification will prove I’m better than them; which I always suspected.
– A joke by the writer, which showcases the desire many users have for being verified
While the majority of users may want the verification symbol for bragging rights, having the symbol can also help monetize a social media page. This is driving some users to pursue any way possible to obtain the coveted verification checkmark for their profiles.
A Phishing Campaign for Instagram Users
When combined, all of these factors can lead someone to ignore the warning signs and fall victim to phishing attempts. We recently came across this page, which masquerades as a real Instagram Verification submission page:
After clicking Apply Now, it begins a series of phishing forms on the phishing domain instagramforbusiness[.]info. This form targets the victim’s Instagram login information and then asks them to confirm their email address…by asking for their email address and password credentials.
After submitting each form, the login information is sent via email to the hackers. This provides them with unauthorized access to the victim’s social media page. Instagram employs fingerprinting and a variety of other methods to determine suspicious account logins. If detected, they lock down the account with a “Suspicious Login Attempt” warning.
In order to avoid this account lockdown, attackers need one of two things: access to the phone number used to register the account (if applicable as Instagram doesn’t require a phone number for signup) or access to the email address associated with the profile.
This explains why hackers also target associated email login information on this phishing page. It allows them to reset and verify ownership of the phished Instagram account should the “Suspicious Login Attempt” warning be triggered.
Looking for Signs of a Phishing Campaign
Don’t let your situational awareness be lowered by the promise of an exclusive item or status. There were a number of clear signs that this page was malicious:
- The domain name is clearly not instagram.com.
- A lack of HTTPS results in insecure warnings in visitor’s browsers. Large websites like Instagram typically display HTTPS, especially when handling login information and other sensitive information.
- Instagram will never ask for a linked email account’s password as confirmation. It will use the standard method of sending an email with a verification link for you to click.
The lure of a social media verification checkmark symbol works great to entice unsuspecting victims. This is similar to the lure of “free” (i.e nulled, cracked) products, like premium WordPress plugins or themes.
As a rule of thumb, you should always verify the links you are clicking on and ensure that you are only submitting personal information on legitimate websites. Malicious users are actively looking for a chance to deceive their victims with phishing campaigns. If you are looking for a website security solution, we will be happy to help you.