Eastern theology professes the concept of ‘maya’, which literally means illusion. Seeing is not believing, and going only by what we see is the root cause of all worldly vices, according to that stream of thought. Nothing exemplifies this concept like Instagram, going by the number of scams that thrive on the visibility factor of the social media tool. The latest: a phishing campaign that lures Instagrammers with a ‘verified’ badge.
Lure of the blue tick
A ‘verified’ badge – that little blue check on one’s profile page – is quite coveted. News reports say just about one percent of Instagram users have undergone the verification process, giving exclusivity to the verification checkmark. Scammers promising to provide one with a ‘verified’ badge lure Instagram users and phish their login credentials away, found security researchers at Sucuri.
"In order to obtain these checkmark symbols, page owners must meet a list of various requirements and undergo a verification process with their social media provider," Sucuri researcher Luke Leal said in a blog post.
"When combined, all of these factors can lead someone to ignore the warning signs and fall victim to phishing attempts. We recently came across this page, which masquerades as a real Instagram Verification submission page," he said.
The phishing page urges visitors to click ‘Apply Now’, taking them to a series of phishing forms on the phishing domain instagramforbusiness[.]info. After submitting each form, the login information is sent via email to the hackers, giving them access to the victim’s social media page.
No dearth of scams
The popularity of the service and the naivete of the users have made Instagram a hotbed of scams.
SC Media UK wrote this week about scammers cynically exploiting people’s charitable instincts by pretending to send aid to Sudan in exchange for clicks so that they can accumulate followers.
ActionFraud, UK’s fraud and cyber-crime reporting centre, recorded 356 scam attempts targeting Instagram users between October 2018 and February 2019. These "get rich quick" investment scams have siphoned away a total of £3,168,464 - an average of around £8,900 per person. The agency listed people aged 20-30 years as susceptible targets.
Popularity in Instagram also makes your profile a treasure trove for data hunters. Security researcher Anurag Sen in May discovered that a database of Instagram influencers was left exposed and without a password allowing anyone to view the information. Each record contained public data scraped from influencer Instagram accounts.
In 2017, a group of hackers harvested the contact details of the most popular six million Instagram accounts and sold the data on the internet. Instagram conceded that there was a security lapse, though it did not specify the number of users affected.
Caution, the best defence
"Consumers should take a least-information-shared posture," Cybereason chief security officer Sam Curry commented on the exposed data. "Further, it is now past time for good hygiene with passwords and devices security. In particular, invest in a password vault and keep strong, unique passwords by site."
It is worth spending a little more time validating the legitimacy of a website before submitting any personal information, noted Corin Imai, senior security advisor at DomainTools.
"Phishing scams are often socially engineered to either scare the recipient into taking immediate action, such as clicking on a link or downloading an attachment, or to steal user credentials with the promise of something appealing, such as a free phone or, indeed, a "verified" blue checkmark on Instagram," he said.
"To further protect online accounts, multi-factor authentication should be enabled wherever possible," he added.