IT NEWS

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint  Cybersecurity Advisory (CSA) after observing Vice Society threat actors disproportionately targeting the education sector with ransomware attacks.

Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable.

This CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. After issuing advisories about MedusaLocker and Zeppelin ransomware, this is the third CSA of 2022 which aims to provide technical information on ransomware variants and ransomware threat actors.

Vice Society

Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. Malwarebytes has been tracking the group since December 2020. Due to similarities in naming and tactics we suspect there is a tie to the HelloKitty ransomware group. Both use the .kitty or .crypted file extension for encrypted files. According to CISA, the Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty/Five Hands and Zeppelin ransomware, but may just as easily deploy other variants in the future.

The group also operates a so-called ‘leak site’ where exfiltrated files are made available if the victims decide not to pay the ransom.

Tactics

Vice Society has been known to exploit known vulnerabilities in SonicWall products, and the set of vulnerabilities commonly referred to as PrintNightmare. The CSA also mentions the gang exploiting internet-facing applications without providing details.

Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrate data. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike in order to move laterally.

Los Angeles Unified school district

In a recent example of a school district targeted by ransomware, the huge Los Angeles Unified School District fell victim to a ransomware attack. LAUSD is the second largest school district In the US, and the attack targeted the LAUSD’s information technology systems during the Labor Day weekend. Authorities moved to shut down many of the district’s most sensitive platforms over the weekend to stop the spread and restrict the damage, and by Tuesday most online services — including key emergency systems — were operating safely.

The attack resulted in staff and students losing access to email. Systems that teachers use to post lessons and take attendance also went down.

An investigation involving the FBI, the Department of Homeland Security and local law enforcement is underway. 

Mitigation

From the example above we can see that constant monitoring and adequate intervention helped to limit the impact.

Besides IOCs and attack techniques, the CSA provides a lot of mitigation advice. Since the techniques used by the Vice Society group are far from unique, the advice is worth repeating because it works against a lot of similar ransomware operators.

But you should also realize that while it’s easy to say that you need reliable and easy to deploy backups, for example, it’s not always easy to follow that advice. It is well worth pursuing though, since it may save your bacon at one time or another.

Backups

Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Maintain offline backups of data, and regularly maintain backup and restoration. This makes it less likely that you will be severely interrupted, and/or only have irretrievable data, in the event of a ransomware attack.

Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

In a nutshell: Put your backups out of the reach of attackers, and make sure they work by testing that you can restore working systems from them.

Authentication

Require all accounts with password logins to meet the required standards for developing and managing password policies:

• Require multifactor authentication wherever you can—particularly for webmail, VPNs, and critical systems
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege
• Implement time-based access for accounts set at the admin level and higher
• Use long passwords (CISA says 8 characters, we say you can do better than that) and password managers
• Store passwords using industry best practice password hashing functions
• Implement password rate limits and lockouts
• Avoid frequent password resets (once a year is fine)
• Avoid reusing passwords
• Disable password “hints”
• Require administrator credentials to install software

Software

Use anti-malware software, and keep all operating systems, software, and firmware up to date. (Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.)

Networks

Segment networks to prevent the spread of ransomware and disrupt lateral movement. Identify, detect, and investigate abnormal activity with a network monitoring tool. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Disable unused ports.

Email

Consider adding an email banner to emails received from outside your organization.

Disable hyperlinks in received emails.

Scripts

Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

Stay safe, everyone!

Last week, we gave you some tips on how you can set up a new iPhone for your child to use as they start this school year. Today, we’ll look at doing the same for Android phones.

Setting up an Android isn’t very different from setting up an iPhone as both platforms follow a similar logic to making devices child-friendly. This makes it easier for you if you have children with different preferences for phone brands.

1. Set up a screen lock

With your child, figure out the best way they can screen lock their phone and open it quickly if needed. This could be a PIN, pattern, or password.

Opting to unlock with a swipe only may get your child to the home screen quicker—and stops them from making accidental calls or texts while the phone is in their pocket—but it’s not going to save them from anyone who wants to deliberately access their phone, especially if they do it behind your child’s back.

Android Help has a page on how to set a screen lock.

2. Ensure Find My Device is enabled

Google has a “Find My” feature baked into its Android OS. It’s called Find My Device, formerly Android Device Manager.

This feature automatically turns on if you’re signed in to a Google account on Android. To ensure the device can be found, Google lists what needs to be turned on for the Find My Device to work. You can check out the list and how you can go about ticking them off on this page.

You can also use Find My Device to make the device make a sound (in case it’s lost in the house somewhere), secure the device by locking it down remotely, and wiping the device from afar (hopefully, the last resort) if the device is truly lost or stolen, and you don’t want any of your child’s data ending up in someone else’s hands.

3. Set up parental controls

A built-in parental control feature can be found in the Google Play Store app. It’s not on by default, so you have to enable this on your child’s phone. Your child won’t be able to turn this off again as you’ll be asked to create a PIN, which needs to be entered before anyone can fiddle with the parental control settings.

Here, you can restrict the apps (not the content) your child sees on the Play Store based on their age (PEGI rating). 

If you need a step-by-step guide, Google has you covered.

4. Download and set up Family Link

Family Link is an additional Google parental control app. Download it from the App Store, and set it up. This offers parents and guardians more granular restrictions and limitations for their children.

Note that Family Link accounts are different from standard Google accounts. Once the app is installed, it’ll walk you through setting up that account. 

As you go through the setup process, it’s worth talking to your child about what limitations you are putting on them when using the device, such as screen time, what apps they can use, purchase controls, etc., and why.

Allow them to share their thoughts about these limitations and restrictions. Create a dialogue with them so they feel listened to.

5. Use YouTube Kids instead of regular YouTube

For parents with young kids who don’t want them to see things they’re not supposed to see, YouTube Kids is an alternative to YouTube. It only plays kid-friendly content, doesn’t show ads, and doesn’t allow comments.

Of course, there’s always the possibility of some videos slipping through the filters. In one case, a video that overtly says it’s not for kids was falsely categorized by YouTube’s AI. Thankfully, it didn’t end up on YouTube Kids, but it’s still good practice to watch with your child every now and then, or you can sit them in the same room while they watch.

If you want better control over apps, like you want to block them than restrict them fully, and you can’t get that from Google’s apps, you can seek help from third-party apps.

Finally

Navigating the internet is already tricky enough, and you need all the help you can get when introducing your kids to new territories as they grow up.

So, research, read a lot, and get expert opinions. Handing your child their first phone only happens once, but what happens afterward is a crucial stage of adjustment for your child and you!

Good luck!

In an international police operation supported by Interpol, law enforcement agencies have uncovered and dismantled an international sextortion ring that managed to extract at least US$ 47,000 from victims.

Sextortion is a form of cybercrime in which the victim is blackmailed by threatening to make embarrassing pictures or videos public. Interpol says there’s been a sharp rise in sextortion reports around the world in recent years, mirroring a rise in other types of cybercrime that has been made worse by the COVID-19 pandemic.

Tactics

In this particular sextortion ring, the cybercriminals contacted their victims—who were based mainly in Hong Kong (China) and Singapore—through online sex and dating platforms before asking them to download a mobile app via a hyperlink to engage in ‘naked chats’.

The application turned out to be malicious in that it was specifically designed to steal the contact lists from the affected phones. The syndicate then blackmailed victims by threatening to send the nude videos to their relatives and friends.

Law enforcement

The law enforcement agencies launched an investigation and in-depth analysis of a zombie command and control server which was hosting the malicious application. Combined with reports from victims, law enforcement zeroed in on the perpetrators, establishing a joint investigation between Interpol’s cybercrime division and police forces in Hong Kong (China) and Singapore.

So far, the investigation has traced 34 sextortion cases back to the uncovered syndicate. This may be just the tip of the iceberg since sextortion victims are often too embarassed to file a report.

Stephen Kavanagh, Interpol’s Executive Director of Police Services said:

“Sextortionists sometimes count on their victims feeling too much shame to go to the police, but reporting these crimes is often the first step to bringing these criminals to justice,”

#YouMayBeNext

In June, Interpol launches awareness campaigns to remind the public that cyberattacks can happen to everyone, and at any time. The #YouMayBeNext campaign will focus on cybercrimes that involve extortion including:

• Sextortion
• Ransomware
• Distributed Denial-of-Service (DDoS)

The campaigns say victims of sextortion or other cybercrimes do the following: 

• Cease all contact with the suspected cybercriminals
• Do not pay or provide further images or information to the suspected cybercriminals
• Keep or assemble any evidence of the crime
• Report the crime to police

Unless you are a seasoned vigilante, that is solid advice, but the best advice is not to share any pictures that could be used to extort you over the internet, no matter who they claim to be or how safe you think it will be. Even pictures shared for legitimate reasons are capable of getting people in a lot of trouble.  

QNAP (Quality Network Appliance Provider) has warned users to update Photo Station to the latest available version.

The warning comes after QNAP detected that cybercriminals known as DeadBolt have been exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that are directly connected to the internet.

QNAP produces NAS (Network Attached Storage) devices, among other things. QNAP’s Photo Station is an online photo album that allows users to share photos and videos stored on their NAS with others over the internet. With Photo Station, users can drag and drop photos into virtual albums, which means they don’t have to create copies when they are needed in more than one album.

Deadbolt

The ransomware group responsible for this attack is generally known as DeadBolt. The name DeadBolt is also used in the file extension of the encrypted files that the group’s ransomware generates.

QNAP and DeadBolt have history. In January 2022, news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers’ DeadBolt ransomware, which annoyed part of its userbase.

The vulnerability

Little has been published about the vulnerability, except that the QNAP Product Security Incident Response Team (QNAP PSIRT) made the assessment and released the patched Photo Station app for the current version within 12 hours. All that was made clear is that the ransomware gang is exploiting a Photo Station vulnerability to encrypt QNAP NAS systems that are directly connected to the internet.

The vulnerability has been fixed in the following versions:

• QTS 5.0.1: Photo Station 6.1.2 and later
• QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
• QTS 4.3.6: Photo Station 5.7.18 and later
• QTS 4.3.3: Photo Station 5.4.15 and later
• QTS 4.2.6: Photo Station 5.2.14 and later

How to fix the QNAP Photo Station vulnerability

Update Photo Station to the latest available version or to switch to QuMagie.

Here’s how to update Photo Station:

• Log on to QTS (the QNAP NAS Operating System) as administrator.
• Open the App Center and then click the magnifying glass.
• A search box will appear. Enter “Photo Station”.
• Click Update and then OK.
• The application will be updated.

Note: The Update button is not available if your version is already up to date.

Do not connect your NAS directly to the internet. To enhance the security of your NAS, QNAP recommends users use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. Or you can use another VPN of your choice.

Everyone loves a good campfire story prone to exaggeration. However, when told online it’s not quite got the same effect. Long ago, sites like Myspace would play host to very certain types of messages. “Don’t open this post from Johnny Cyberhack, or your account will be stolen and your C drive will be wiped”. Complete nonsense, but vague and scary hacking-themed missives will always find a receptive audience.

Chain letters, scam messages, and viral hoaxes tied to a threat often spread like wildfire. The latest is a rehash of an old “Martinelli” hoax that’s circulating again.

Martinelli: Back for another round of shenanigans

As reported by AFP, the older hoax has been repackaged for another round. This specific hoax has been bouncing around since at least 2017. The message, posted to Facebook but also seen on WhatsApp itself, reads as follows:

Dear friends, this is a warning that was aired on BBC radio this morning: If you are a WhatsApp user, please pay attention. A video titled ‘Martinelli’ will be released tomorrow. Please don’t open it – it will hack your phone and the impact cannot be reversed.

Also, if you receive a message about updating WhatsApp, do not click RUN. Please also warn your friends to not open a video titled the ‘Pope’s dance’. That video will change the combinations in your phone. Be careful because it is very dangerous.

Dancing Popes, hacked phones, and a Martinelli as a special bonus. It all sounds very bad for your mobile’s health, but it’s all a work of fiction.

Great Martinellis of our time

Our hacking friend Martinelli can be seen at work here in 2020. It even references “WhatsApp Gold”, a common fixture of WhatsApp themed scams:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called Martinelli do not open it, it hacks your phone and nothing will fix it. Spread the word. If you recieve a message to update the WhatsApp to WhatsApp Gold, do not click!!!!! Now said on the news this virus is difficult and severe. Pass on to all.

Here’s an example of the same Martinelli missive from 2021. In fact, we can even see Martinelli receiving a #FALSO from law enforcement back in 2017:

Circula por #WhatsApp📱 este mensaje advirtiendo sobre el “vídeo de Martinelli”👉🏻#Stopbulos, ✋🏻no lo compartas https://t.co/TtAb0aYNUE pic.twitter.com/R4aOovWAo3

— Policía Nacional (@policia) July 29, 2017

No matter what our elusive Martinelli friend is up to, rest assured that nothing is going to happen to your phone, your files, or your WhatsApp. Messages like these are often shared by people who are just trying to help; there’s no malicious intent. Other times, messages which look like pranks or hoaxes can dovetail into actual scams.

Should you see a friend or relative posting up a message like the above in group chats, on Facebook, or anywhere else, do some digging. The endless text reuse means you can often pin down a fake warning in seconds. Point them in the direction of the debunking, and let them know you appreciate them trying to make things safer for their friends. 

We mostly hear about bogus advertising and offers via compromised accounts on Instagram or Facebook. Strict advertising rules on social media involve making it clear that someone is promoting an ad or offering up a risky venture.

However, sometimes things go wrong on other platforms like YouTube. The immediacy of video content combined with massive audiences make it a perfect place to set up shop with shenanigans.

As it happens, all you need is a niche of your own and a little bit of virality to end up snared in a mess of “flee the country” proportions.

From dancing to running

A popular fashion and dancing YouTuber is on the run. Around $55m USD has allegedly been swiped by popular star Suchata Kongsupachak, AKA “Nutty” to her fans. The last video upload was around six months ago, and most of her content is dance tutorials and make-up promotions. What appears to be missing is the reason she bailed in the first place: Forex trading.

For the last few years, her 840k followers have watched numerous clips of dancing, fancy hotels, expensive cars, and literal bundles of money. The impression is very much of an influencer, with all the assumed wealth that such an endeavour implies.

Things can and do go wrong for YouTubers getting tangled up in advertising promotions or other types of offers on a regular basis. Last year, a streamer found themselves in the middle of an ill-advised skincare range promotion. In 2019, a Louis Vitton bag giveaway went somewhat off the rails.

A $55m Forex scam, though, is definitely taking things to another level in “Oh no YouTube, what have you done” land.

More than 6,000 tales of woe

Nutty faces three charges, including fraud, with police claiming that she encouraged “more than 6,000 victims” to invest in a Forex trading company. The returns on investment were promised to be up to 35% on their contributions. Elsewhere, there’s mention of a guarantee of up to 100% returns. The alarm bells were clearly ringing at this stage, but people were too taken in by the lifestyle videos on display to care.

Police also referenced her various extravagant purchases displayed in her videos as a way of cementing the idea that any investment with her would be a solid deal. When she claimed her money was made via Forex trading, the money from her fans started flooding in from April onwards. Sadly, it all went wrong and just one(!) month later, Nutty posted an apology video on Instagram. It seems all the cash ended up with one broker, and some sort of problem prevented her from being able to retrieve any of the money. She apologised and promised to get everyones’ money back, along with a “free shop review for every victim”, which I’m sure was a thrilling offer for anyone with zero money in the bank.

The fans aren’t happy

Despite the money retrieval promises, Nutty is believed to have fled to Malaysia once a Thai court issued an arrest warrant. The victim currently missing $490,828 USD will presumably have to wait for his free shop review.

As for everyone else, the chance of recovering their money seems slim at this point. Investors have offered a sizable reward for information about her whereabouts, but so far she’s slipped the net.

Her YouTube account links to a variety of other social media channels. Interestingly, the link to Instagram takes you to an account called “Nutty (Scammer)”. Her actual Instagram account, found elsewhere, is the one playing host to the apology video. Did someone compromise the YouTube channel to make this link? Or does Nutty have several Instagram accounts, one of which has been hijacked?

Avoiding “Too good to be true” deals on YouTube

Social media is awash with scams and fake outs. Even if the individual working as the face of a promotion is on the level, that doesn’t mean they too haven’t been hoodwinked by people behind the scenes. You need to be incredibly careful where the below YouTube activities are concerned, as it’s easy to lose an awful lot of money in the fallout.

1. Comment spam tailored to content in the video. Typically based around “free” gifts or other promotions, you could end up spending a small fortune for supposed shipping costs.

2. Investment of any kind. There’s a reason people in suits with certificates on the wall tend to be the go-to source for investment opportunities, as opposed to your favourite YouTuber who is good at dancing. Whether it’s YouTube, Instagram, or anywhere else, promises of 100% return on your investment should be given the very widest of berths.

3. Riches on display. Influencers have a non-stop supply of expensive travel and lifestyle videos. This may well encourage you to get onboard with any deal, offer, or promotion. But consider this: Much of what you see is simply fake. In many cases, the person holding or using an item doesn’t own it; It’s a promotional video for the benefit of both YouTuber and product maker. That fancy looking private jet used as the launchpad for someone’s latest promotion launch? It’s not a private jet.

You may not have considered having to question the very nature of reality in order to avoid Forex trading scams, but it’s definitely needed. Stay safe out there!

Ireland’s Data Protection Commissioner (DPC), the lead regulator in Europe for Meta and other tech giants, has slapped Instagram with a fine of €405M—roughly equivalent to $402M—following an investigation on how the company handled children’s data. 

In the investigation that started in 2020, the DPC found Instagram had allowed children between the ages of 13 and 17 to operate business accounts. That meant their phone numbers and email addresses were made public, which is a clear violation of their privacy.

The DPC also found that some Instagram accounts owned by children were set as “public” by default, instead of “private.”

A spokesperson from Meta said in a statement:

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”

A DPC spokesperson confirmed the fine with Reuters. He said that full details of the decision will be published next week.

This is the highest fine ever issued by the regulator, easily eclipsing the $267M fine to WhatsApp in 2021 and the $18.6M fine to Facebook in March 2022.

According to Politico, which first covered the story, the DPC has at least six investigations into other companies owned by Meta involving privacy violations.

On Friday, Google announced the release of a new version of its Chrome browser that includes a security fix for a zero-day tracked as CVE-2022-3075. As with previous announcements, technical details about the vulnerability won’t be released until a certain number of Chrome users have already applied the patch.

Google is urging its Windows, Mac, and Linux users to update Chrome to version 105.0.5195.102.

CVE-2022-3075 is described as an “[i]nsufficient data validation in Mojo”. According to Chromium documents, Mojo is “a collection of runtime libraries” that facilitates interfacing standard, low-level interprocess communication (IPC) primitives. Mojo provides a platform-agnostic abstraction of these primitives, which comprise most of Chrome’s code.

An anonymous security researcher is credited for discovering and reporting the flaw.

CVE-2022-3075 is the sixth zero-day Chrome vulnerability Google had to address. The previous ones were:

• CVE-2022-0609, a Use-after-Free (UAF) vulnerability, which was patched in February
• CVE-2022-1096, a “Type Confusion in V8” vulnerability, which was patched in March
• CVE-2022-1364, a flaw in the V8 JavaScript engine, which was patched in April
• CVE-2022-2294, a flaw in the Web Real-Time Communications (WebRTC), which was patched in July
• CVE-2022-2856, an insufficient input validation flaw, which was patched in August

Google Chrome needs minimum oversight as it updates automatically. However, if you’re in the habit of not closing your browser or have extensions that may hinder Chrome from automatically doing this, please check your browser every now and then.

Once Chrome notifies you of an available update, don’t hesitate to download it. The patch is applied once you relaunch the browser.

Stay safe!

Last week on Malwarebytes Labs:

• Twilio data breach turns out to be more elaborate than suspected
• Playing Doom on a John Deere tractor with Sick Codes: Lock and Code S03E18
• Chromium browsers can write to the system clipboard without your permission
• British Airways customers targeted in lost luggage Twitter scam
• Final Fantasy 14 players targeted by QR code phishing
• How to set up an iPhone for your kids
• James Webb telescope images used to hide malware
• Malwarebytes receives highest rankings in recent third-party tests
• Controversial Kids’ Code aims to keep children safe online
• Data broker sued for allegedly selling individuals’ sensitive location data
• What is a keylogger?
• TikTok vulnerability could have allowed hijackers to take over accounts
• Apple releases security update for iPhones and iPads to address vulnerability

Stay safe!

Another Instagram phish is doing the rounds, and will appeal to a wide variety of platform users. Bleeping Computer reports that verified status is once again being dangled as bait.

The “importance” of being verified

Being verified gives the impression of status, or importance, on social media platforms. Often, verification is more about simply confirming that someone is in fact who they claim to be. There are many verified accounts out there for people you’ll not have heard of, and that’s perfectly fine. At the other end of the scale, it is definitely an additional status symbol for people who care about such things. It’s also very handy where confirming that high profile accounts are in fact the real deal.

Scammers know this, and bank on it on a daily basis. Indeed, a whole sub-industry of fake verification services exists to part people from their money (and, potentially, accounts).

It’s not just the scams on the platform itself you have to be wary of. It’s the messages bouncing around off-platform too.

The phish in motion

No fewer than 1,000 phishing messages per day were sent in this particular campaign, peaking at the end of July and early August. The mails, branded to resemble official Instagram / Facebook missives, read as follows:

Your Instagram account has been reviewed by us and has been deemed eligible for a blue badge. To get your blue badge, please click the badge form button below and fill the form carefully. Make sure you fill out the form correctly and completely. Otherwise, your account will not be verified. If you ignore this message, the form will be permanently deleted within 48 hours.

An interesting scam combo, here. The usual splash of time-related pressure to get something done “or else”. Add to this the suggestion that the hard part, actually getting verified in the first place, is all but done. All you have to do is click a button and essentially say “yes please”.

Sounds great. Sounds too good to be true. (Because it is.)

You won’t get something for nothing

The bogus website, adorned with several Facebook-centric logos, asks for username, password, email, and phone number. Anyone filling out the form and hitting submit is going to be very disappointed. The only winner here is the scammer, who now has everything they need to steal the victim’s Instagram account.

As highlighted by Instagram, notability—”Your account must represent a well-known, highly searched for person, brand or entity”—is a seemingly non-negotiable part of the verification deal. You won’t grab verification, no matter how many promises those dubious verification services make. 

If you’ve fallen for this, go and change your login details while there’s still time. Consider enabling Instagram’s two-factor authentication. You may be able to gain verification on other social media platforms even without what is considered to be a “notable” profile. As far as Instagram is concerned though, you’re just going to have to ignore those tempting email invitations.