With Christmas approaching and tired and busy consumers often letting their guard down about online security, a new phishing campaign is trying to steal backup codes from Instagram to hijack accounts.
Spotted by Trustwave and published just days before the big day, attackers now appear to be targeting victims not only for their login credentials, but also for their backup codes.
Backup codes, which can only be used once, are intended to give users (or attackers) access to their accounts if they are unable to use a 2FA code.
Beware of this 'copyright' phishing email on Instagram
The email in question appears to come from Meta, Instagram, and Facebook's parent company, alerting victims to the (false) fact that their account has infringed certain copyrights, creating a sense of urgency that prompts the victim to action forces.
The email links to an appeal form that must be completed within 12 hours to avoid the threat of permanent account deletion.
While the branding is fairly accurate, there are some telltale signs, including slightly odd spacing and grammar that you wouldn't expect from a real email.
Trustwave also emphasizes the importance of checking the domain of suspicious email before engaging with it – the domain “contact-helpchannelcopyrights(.)com” does not belong to Meta.
The malicious website, hosted by Squarespace-owned Bio Sites, conveniently presents a similar theme to the email. The attackers clearly hope that the consistency will lose track of suspected potential victims.
On the site, the victim shares his login details and backup codes, giving the attacker full access to his account.
Fortunately, the vast majority of phishing campaigns all show some key clues that they aren't real. No matter how busy we are, we should always take the time to perform these basic checks before handing over any confidential information.
For more information, Trustwave has shared the full details of this specific attack on its computer website.