Security researchers at Trustwave have recently uncovered a phishing campaign that masquerades as a ‘copyright infringement’ email. This deceptive campaign is designed to illicitly obtain Instagram users’ backup codes, thereby enabling malicious actors to circumvent the two-factor authentication established on the targeted accounts.
The two-factor authentication is an extra layer of security that requires an additional form of verification when logging into the account.
If two-factor authentication is enabled, Instagram allows its users to log in to their account with an unrecognized device by requiring a code. If the device or email is no longer accessible the user’s backup codes can be used. Backup codes consist of five 8-digit numbers. Each code can be used once, and the entire list can be regenerated whenever the user logs into the Instagram account.
New Instagram Phishing Campaign
The email, which claims to be from Instagram’s parent company, Meta, insinuates that the recipient’s Instagram account infringed copyrights. The attacker attempts to create a sense of urgency with the message that an appeal must be filed within 12 hours by clicking the “appeal form” button in the email, or else the account will be permanently deleted. Once the user clicks on the button, they are redirected to a fake Meta site.
When the user clicks on the appeal form button in the email they will be redirected to a site hosted on Bio Sites, a platform from Squarespace that offers a few quick and easy creation of a one-page website. Users can track the traffic on their Bio Sites webpages and monetize their digital content.
The site bio[.]site/ignotificationcenters[.]com is masquerading as Meta’s central portal for violations and echoes the theme in the phishing email. This site serves as the bridge to the actual phishing website to which the user is redirected if they click the button “Go to Confirmation Form (Confirm My Account)”.
The phishing site help-copyrightservice[.]com/forms/2394919023, which poses as a fake Meta “Appeal Center” portal, is hosted on a newly created domain. Once the user clicks the “CONTINUE” button, a series of prompts asks for specific user information. Every time the user clicks continue, data is sent to the spammers. The phishing site only validates the input box if it’s empty.
The first pieces of information requested from the user are the username and password. The password is requested twice, perhaps hoping the user will submit another often-used password. After providing the passwords, the user is asked if two-factor authentication is enabled on the Instagram account.
A bogus two-step security verification confirmation page is displayed next. If the user confirms by clicking the “YES” button, this is when a backup code is requested. Finally, the last page is shown, and this is where the user’s email address and phone number are collected.
Backup codes are intended to be treated with utmost confidentiality and securely stored. Account holders are advised to accord these codes the same level of secrecy as their passwords, refraining from entering them unless necessary for accessing their accounts.
