{"id":11720,"date":"2018-08-24T09:00:07","date_gmt":"2018-08-24T13:00:07","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/instagram-hijack\/11720\/"},"modified":"2019-11-15T15:22:53","modified_gmt":"2019-11-15T11:22:53","slug":"instagram-hijack","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/instagram-hijack\/11720\/","title":{"rendered":"How Instagram accounts get hijacked"},"content":{"rendered":"


\n(Post updated on August 29; Instagram has introduced applying for verification)
\n<\/strong><\/p>\n

Instagram is not just the second most popular social network in the world. It\u2019s also a means of income for numerous photo bloggers, models, and other Internet celebrities. Eye-catching accounts with many thousands of followers are of interest not only to fans, but also cybercriminals. If such an account is stolen, the consequences can be nasty. But how exactly do Instagram accounts get hijacked, and how can you avoid yours getting snared?<\/p>\n

Hijack method No. 1: Fake verification<\/h2>\n

You\u2019ve probably noticed a blue tick next to some Instagram accounts, a . Until very recently, these status symbols were worn by accounts belonging to celebrities, large companies, and popular bloggers. The sacred badge is especially important for accounts with large audiences because it adds prestige and distinguishes these accounts from fake ones. Getting hold of a badge wasn\u2019t that easy: There was no application form or \u201cbadge store\u201d\u2014 the social network decided for itself who to award them to.<\/p>\n

However, Instagram recently changed its policy regarding verification, and now you can request verification from the app (to do that, go to Settings -> Request Verification<\/em>) and get the badge if your account meets the necessary criteria.<\/p>\n

This change was implemented quite recently \u2014 on August 28, 2018 \u2014 and many users don\u2019t know exactly how to get the cherished blue tick. Scammers are, of course, exploiting that, creating sites that masquerade as Instagram help center pages and request details from Instagram users such as their username, password, e-mail address, full name, and date of birth \u2014 all for the promise of a badge.<\/p>\n

Having entered this data, the unsuspecting user is told to wait 24 hours for a decision, and not to change their account settings during this period. The information goes straight to the attackers, while the user just sits and waits, unaware that their account is now compromised.\"\"<\/a><\/p>\n

This method can also be used to get personal information belonging to the victim, which can help the cybercriminals bypass two-factor authentication processes. To do this, criminals display a message saying that the support service may contact the account owner to clarify their details. When the \u201csupport service\u201d does make contact, it\u2019s the scammers themselves asking for an SMS code or other security information. They might also send a fake support service message requesting information supposedly needed for verification, which they can use when dealing with the real support service behind the account owner\u2019s back (the data requested might include, for example, a photo or other data that the genuine service might ask for).<\/p>\n

Hijack method No. 2: Plain old phishing<\/h3>\n

Scammers are also continuing to use common phishing techniques to lure victims to a fake login or password reset page. For example, they might send a scary message saying that a user\u2019s account has been hacked or that their login credentials need updating, or simply offer to \u201crate a photo\u201d which supposedly requires the user to login to the social network.<\/p>

\"\"<\/a>

Example of a phishing page mimicking an Instagram login<\/p><\/div>\n

With more than a billion users worldwide, Instagram has long been a target of choice for all kinds of scammers. Having hijacked an account, they get access to the user\u2019s personal information and messages. Not only that, the account can be used to spread spam, phishing, and malicious content. Quite often, on taking possession of an account, the attackers change the handle, profile photo, and e-mail address and phone number to which it is linked. That makes it nearly impossible for the true owner to restore access to their Instagram account.<\/p>\n

How to protect against Instagram hijacking<\/h3>\n

As always, prevention is better than cure \u2014 especially if a cure is next to impossible. By observing these simple rules, you can stay safe:<\/p>\n