Security
Headlines
HeadlinesLatestCVEs

Headline

Instagram verification services: What are the dangers?

We take a look at services claiming to offer verification of Instagram accounts, along with the many ways it can go wrong. The post Instagram verification services: What are the dangers? appeared first on Malwarebytes Labs.

Malwarebytes
#web#google#git#auth#sap

Instagram, like other social platforms, has a verification system for high profile accounts. A verified badge means Instagram has confirmed that the account is the authentic presence of a public figure, celebrity or brand.

Have you ever wanted to get your own account verified? We noticed a large number of Instagram accounts all claiming to offer this as a service. Quick, easy, guaranteed. Or so they claim. After digging into it, we had a few questions of our own.

Setting the scene

Here’s just some of the identical profiles we’ve seen promoting one specific verification service.

Most of the profiles contain the same information in the bio section. Here’s a typical example:

The verification process “takes 1-2 hrs”, has a 100% success rate, and payment is required before processing. You can send a direct message, or visit their shortened link for more information.

Forming an orderly line

The link in the bio section leads to a Google Docs form. Unless you view the document while signed into a Google account, you won’t be able to see the content or fill it in.

The service says it will submit your profile to Instagram for verification. Given the only way to do this as a regular user is submit it yourself via the app, this means the service would presumably need your login details to do it. This is highly relevant to our next line of investigation.

Of media partners and promotional agencies

One section of the form notes the slick, professional approach it has in relation to verification and third-parties:

  • We would like to share everything about our service and marketing strategy. We are the only legitimate agency that provides a guarantee of verification. If we are not able to get you the blue badge, we will refund your entire payment.
  • As you know we have a few talented Instagram media partners agencies. They will do everything for your verification with maintaining all the terms of Instagram authority. They are highly qualified to do that and have a high success rate.

As this article mentions, celebrities may work with agencies with access to Facebook’s Media Partner Support for verification instead. Incidentally, that’s another approach filled with booby-traps. Do we think any of these identical profiles are working to that level?

The form also lists several Instagram accounts which have been “successfully verified” as a result of its guidance. This includes one account which no longer exists, and a well known brand of cheese spread which doesn’t appear to post content anymore. We reached out to the two Instagram accounts which accept direct messages, but didn’t receive a reply.

With all of this in mind, it’s time to ask one of these accounts some questions directly.

Question time for an Instagram verification service

I sent a message to the profile highlighted up above.

I asked the following:

Hi, I have some questions about the verification process and was hoping you could answer before I sign up.

1) What are the fees, and which payment method do you use

2) The form says you use a “few talented Instagram media partner agencies”. Who are the agencies?

3) If there’s a 100% success rate, why is there a money back guarantee for unsuccessful applications?

4) How did you help to verify several accounts which are much older than your own?

5) Why is your own account not verified?

Thanks!

Question 5 is particularly important: with so many identical profiles, how do we even know which one is the real deal? If verification is so easy, where is their own verified profile badge?

At any rate, they only replied after a follow-up message, promised to answer my questions immediately, and promptly disappeared again. It seems my verified status is not to be, but on the evidence seen so far, I think I can live without paying someone money for the privilege.

How verify me scams on social media usually end

There’s a few likely final destinations for respondents of detail-free, evasive operations nestled inside dozens of spam accounts.

  1. They (eventually) send you a request for payment and a link to their processing tool of choice. Once you pay, you never see them or the money again. If you had as much difficulty as I did trying to get basic information from a supposed Instagram verifier, would you trust them with your money?
  2. You’re sent a link to a website asking you to fill in your details. The website is nothing more than a phishing page, grabbing personal details and login information. Worth noting that although the “service” I encountered above made use of a Google Docs form, it did not ask for logins.

@instagram our business page gets many scam imposter accts a week pretending to be us & asks our customers for money. We have tried 4 times to get verified without success. We tried again & got this. I assume this isn’t real but at this point I’m almost desperate enough. Fake? pic.twitter.com/8LuamvPnHI

— Sharpie (@itsmesharpie) March 24, 2021

  1. Either of these methods may involve a request for scans of identification. Sending scammers copies of your passport pages is never going to be a good idea. One of the most brazen combinations of most of these tactics can be seen in this CNET article from last year.

Safe verification practices

There’s a bit of mystery as to how certain sites verify individuals. Instagram is refreshingly straightforward and direct in its approach. It pretty much all boils down to preventing impersonation of “notable” individuals. If you’re in a big pile of press links, articles about you, things which have gained column inches somewhere, then you’re probably going to be verified.

Here’s some more information from the Head of Instagram, Adam Mosseri:

Follower count doesn’t matter. If you see someone claiming to offer verification based on follower count, you can safely disregard that entity. If you’re asked to login somewhere then don’t do it. And don’t send scans of identification documentation either.

The allure of verification on social media is too powerful for many people to resist, and that’s what scammers are banking on. If you believe you need it, by all means send in an application to your platform of choice. By the same token, think very carefully about entrusting non-verified spam accounts with your personal details, money, or even identity documents. It almost certainly won’t turn out to have been worth it.

Malwarebytes: Latest News

Meta takes down more than 2 million accounts in fight against pig butchering