A man holds a censored password in his hands while clicking the 'sign up' button on his phone.

Instagram Faces A New Phishing Attack Stealing 2FA Backup Codes

Instagram users are encountering a new phishing attack disguised as a copyright violation email. This deceptive technique aims to steal backup codes, enabling hackers to bypass the account’s two-factor authentication (2FA).

Two-factor authentication (2FA) improves account security by asking users to provide additional method of verification during login. When 2FA is enabled on Instagram, users signing in from an unknown device must input a code. To access your secured account and take advantage of this additional layer of security, the threat actor must have access to your email or mobile device.

Users can use backup codes, which consist of unique 8-digit numbers, if the primary device or email is unreachable. A user can regenerate the complete list each time they enter their Instagram account, and these backup codes are valid for one-time use only.

The use of backup codes introduces a potential risk. If threat actors get these codes, they can use them to take advantage of Instagram accounts on other devices if they just know the user’s credentials, which they might have learned through phishing or similar security breaches.

These emails encourage users to click a button to dispute the decision. Nevertheless, by doing this, users are redirected to phishing websites, where they unknowingly share significant details such as account credentials.

This fraudulent strategy, which has a common focus, has attacked users on lots of sites, including Facebook. Notably, it has aided in the spread of renowned threats such as the LockBit ransomware and the BazaLoader malware.

Exposing the Most Recent Instagram Phishing Campaign

The initial part of the attack included impersonating Instagram’s main business, Meta. As TrustWave noted, at this point, fraudsters sent fake emails to a large number of victims.

The growing popularity of two-factor authentication (2FA) has compelled phishing actors to broaden their scope of attack. As more users adopt enhanced safety measures, attackers adapt their strategies to overcome such challenges, underscoring the importance of staying vigilant against emerging threats.

The email claims that an Instagram account has violated copyright regulations and requests a 12-hour appeal form. The email from the threat actors threatens to permanently delete the Instagram account if cooperation is not received.

Phishing Emails with Google Link
Phishing Emails with Google Link (Trustwave)

The user is sent to a phishing website that mimics Meta’s official violations portal upon clicking the link. This fake website cautions the user to click another link misleadingly labelled as “Go to Confirmation Form (Confirm My Account)”.

Pressing the following link takes users to a phishing website that looks like Meta’s “Appeal Centre.” This fake webpage requires victims to enter their login and password twice. Analysis revealed that the email came from the domain “contact-helpchannelcopyrights[.]com,” which is not one that Meta owns.

After collecting the necessary information, the phishing website asks the target to confirm whether they have protected their account with 2FA. If verified, the website will then request the 8-digit backup code.

Phishing Attacks Targeting Account Backup Codes
Phishing Attacks Targeting Account Backup Codes (Trustwave)

On the other hand, threat actors have continually refined these websites, as evident in recent modifications to the user interface (UI). A security team has also issued a detailed report on this phishing effort, delving into the lure approach, website identification, and other significant issues.

There is a chance that someone else may access your account without authorisation if you input your login or password incorrectly on a suspicious link. If you can still log in, reset your password and log out of any unknown devices as soon as possible.

It’s possible for unauthorised access to your account to occur if you input your password or username incorrectly on a dubious link. Quickly change your password and log out of any unknown devices if you are still able to log in. In case that your login credentials are rejected, and access is banned, Instagram provides an extensive guide on how to retrieve your account.

Treat your backup codes with the same care as you do your passwords. Keep them private and only use them on the official Instagram platform when required. For maximum security and a secure login experience on the website or app, stay away from inputting backup codes elsewhere.

Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks. 

Although technology can be helpful, it cannot spot 100% of phishing emails. Therefore, user education is important to minimising the impact of any successful attacks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.

Recent posts