Attacker Impersonates Instagram and Uses Fake Verified Badge Notification to Steal Credentials
In this phishing attack, cybercriminals impersonate Instagram using a malicious domain, "businesscenterinfomail[.]com," to deceive recipients. The email falsely claims that the recipient’s account has been awarded a coveted Verified Badge, a symbol of authenticity and status on the platform. The target is instructed to click an embedded link to confirm the verification. However, should they click the button, they will be redirected to a phishing page designed to appear as a login portal for Meta Business Tools. The attacker will steal any information entered into the page. This attack capitalizes on the allure of social media verification and the trust recipients place in Instagram’s branding. The attacker manipulates the recipient into divulging sensitive information by mimicking official communications and exploiting the excitement around earning a Verified Badge. Users should always verify such notifications directly through the Instagram app or website and avoid clicking on unsolicited links in emails.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a newly created domain, contains no attachments, and was sent from an address with whom the recipient hasn’t previously communicated. Modern AI-powered email security solutions detect suspicious links in the email, identify the mismatch between the sender name and domain, and recognize that the sender domain doesn’t match any of the domains linked in the messages to flag this email as an attack correctly.
Phishing attack imitating an invitation from Instagram to accept a verified user badge
Malicious portal impersonating Meta’s branding to trick users into providing login credentials
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Newly Created Domain: This attack uses a recently created domain to bypass legacy filters that may not flag new or unknown domains as suspicious.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Unknown Sender: The email comes from a sender the recipient's email system has not interacted with before. Legacy security tools often struggle to assess the risk of new senders accurately.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.