Enver Ceylan presents himself online as a renaissance figure.
He is a Turkish social media consultant, musician and actor who has “played the lead role in several TV series and movies”, according to his website. Among their digital services: Helping Facebook and Instagram users with advertising issues and growing their accounts. One version of their website featured a form prominently asking TikTok users to fill in personal information to verify their accounts, a position usually reserved for notable figures.
“Your account has been followed for 30 days, and it has been determined that you are eligible to receive the TikTok Blue Badge,” their site said in English on June 9. A form under the TikTok logo, an animated musical note, asked for the user’s password, address and phone number.
If Ceylan’s promises sound too good to be true, that’s because they probably are. Sealing’s form disappeared shortly after the information was entered for Nerdshala’s test. Much of the site was evacuated before reappearing entirely in Turkey. (TikTok confirmed that the form was not valid.)
Almost every major platform offers some form of verification. Originally intended to authenticate accounts deemed to be of public interest, the badge has been turned into a status symbol that gives social media users bragging rights. This provides ample opportunities for scammers to manipulate the emotions of ambitious but unsuspecting users pursuing careers as influencers or creators.
Directing social media users to fake verification forms, as Ceylan has tried, is a tactic used to deceive people with personal information and take over their accounts. Scammers will also slide into direct messages on Instagram and entice users with the promise of verification. Variations of this scam have existed for years, but cybersecurity experts say they expect the scam to increase as people spend more time building their brand on social media.
Similarly, people who are verified usually have a large number of followers, which can make them prime targets for scammers or hackers trying to reach too many people. In 2020, hackers hijacked the accounts of high-profile Twitter users such as celebrities Kim Kardashian and Joe Biden, who were running for US president at the time, and nave users sent any messages to a specific cryptocurrency wallet. tempted with fake promises to double bitcoin. .
Declaring that you’ve just verified on social media can also make you a target if you want to get a blue badge on other social networks or if a hacker is trying to find a large number of accounts.
John Clay, vice president of threat intelligence at Trend Micro, said the IT security company has seen verification scams in nearly 70 countries. “It’s just a lure that gives criminals a chance to target these victims,” Clay said.
One social media user, who asked to remain anonymous for fear of retaliation, told Nerdshala that Ceylan presented a convincing pitch when he said he could verify the man’s Instagram account. Upon their request, the person provided them with a photograph holding an ID (though its number was unclear). After that, Ceylan was seen using the photo to take out the person’s social media accounts for impersonation.
The person said in an interview, “The real part of me was like, ‘Don’t fall for this scam’, but then he started sending all these videos and pictures.” “All these little red flags were running through my mind, but I was so excited. I wasn’t thinking clearly.”
Twitter said the user’s account was suspended for impersonation, but after further review it was determined it had been hacked. Instagram said it is securing the account. The company also closed Ceylan’s own account, though a new account soon emerged and is still online.
Nerdshala, which is owned by Red Ventures, contacted Ceylan and asked him about his work as a social media specialist. “I want to help you with what you need,” said a link in response to his email. Red Venture’s IT department said the link appeared to be a phishing attempt, noting that a security vendor had flagged it as malicious. Nerdshala was advised to avoid further contact with Ceylan.
Scammers have also taken advantage of the coronavirus pandemic to trick people into believing they can be verified. in one instagram direct message, an account called ig.verificationbadgeservice tried to lure users with the false claim that due to the pandemic the blue badges on Instagram were being taken directly through an online form instead of the application. The account is no longer on Instagram.
The Federal Trade Commission has warned that all kinds of scams have popped up on Facebook, Instagram and other social media sites during the pandemic. Losses from social media scams reached approximately $117 million in the first six months of 2020, roughly equivalent to the $134 million reported for all of 2019. Verification scams make up a fraction of that total, though it’s not clear how big of a piece it is.
Some Instagram accounts run by people claiming to be social media consultants promise verification for a fee of $1,000 or more.
One account, marion_digital, offered verification and 100,000 followers for $2,200. In a direct message on Instagram, the account holder told Nerdshala that he cannot guarantee account verification, but will write articles and marketing material on behalf of the client. Marion_Digital then “sends photos of those articles to Instagram and they then decide whether or not to allow the verification mark.”
The account declined to answer questions about where the articles appear or whether they ever verified anyone through this process. The account holder, who identifies himself as a social media consultant and marketing manager, said it only helps verify business pages. The user did not respond when asked why he uses a photo of Trayvon Martin, a black teenager who died in 2012, as his Instagram profile picture, sparking nationwide protests.
A spokesperson for Facebook, which owns Instagram, said selling or buying verification is against the social network’s rules.
A Facebook spokesperson said in a statement, “If we learn that verification was achieved maliciously, or that someone is selling verified accounts to others, we will take action that could result in permanent removal from Instagram.” is.” Sweeps both on and off the platform to remove malicious actors from Instagram.”
Omar Bham, a 32-year-old cryptocurrency blogger in Las Vegas, has received direct messages from an Instagram account claiming they can verify him on the photo-sharing service. Bham said he is trying to get verified on Instagram and other sites because a “crazy amount” of people are trying to impersonate him through fake social media accounts.
One account, elisasupporteam, asked her in a message to verify that she had an account so she could secure it a blue check mark. He reported Alyssa Supportem to Instagram because he suspected it was a scam. Account is no longer available.
instagram has said that it doesn’t directly message users asking for personal details like passwords, but has a section called “Email from Instagram” within the app.
People may fall prey to direct messages promising verification as a black market for Instagram badges has reportedly developed outside the service. In a direct message seen by Nerdshala, a verified Instagram user named Yusuf tells Bham that he can get him verified or provide “pre-created verified accounts.”
Some accounts claim to help verify other users, indicating their blue check mark as proof of success. An Instagram account’s profile named verify_account_569 says there may be a blue check mark for “cheap price”.
In an Instagram Story — a missing post on the photo-sharing service — Verify_account_569 said it found a blue checkmark for David Slotnick, a reporter for The Points Guy. It posted a photo of Slotnick’s verified account as evidence.
Slotnik says he was verified through his employer in March, but he started getting messages from strangers asking how to get the blue check mark around the time an Instagram Story with false information was posted. (The Points Guy is also owned by Red Ventures.)
Nerdshala messaged Verify_account_569, but the account does not accept new messaging requests from people it does not follow. Slotnick said he reported the account and story to Instagram but did not receive a response. The account is still active.
Nerdshala showed Web security researcher Luke Leal a TikTok verification form visible on the site of Ceylan, who works at GoDaddy. Lil said the form looks like it was created to phish for TikTok account login information. He added that Ceylan could have shut down the website as well, so the form appeared only once.
In addition to form, other signs point to Ceylan using Internet sites and social networks to masquerade as fake personalities. The site’s source code shows Ceylan copied his webpage from a website using Httrack, a service Lil said is commonly used by phishers to download websites.
On Google-owned YouTube and Spotify, where Ceylan is a verified artist, he appears on Death,…