A new phishing campaign targeting Instagram users has been discovered, which uses several different techniques to lure victims into phishing websites and steal Instagram’s two-factor backup codes.
The threat actors use the “Copyright Infringement” template along with some context, creating a sense of urgency for the users to take prompt actions.
Instagram backup codes are five eight-digit codes used when users want to log in to an unrecognized device when two-factor authentication has been enabled. This list of backup codes can be regenerated when the users log into their Instagram accounts.
Instagram Phishing Attack Steals 2FA Backup Codes
According to a report by TrustWave, during the initial phase of the attack, the attackers impersonated Meta, which is the parent company of Instagram, and sent emails to multiple victims.
The email states that an Instagram account infringed copyrights and an “appeal form” must be filled in 12 hours. Failing to do so, the Instagram account will be permanently deleted according to the threat actors’ email.
Users are redirected to a fake meta website When they click on the embedded button in the email. However, on analysis, it was noticed that the email was generated from the domain “contact-helpchannelcopyrights[.]com” which is not owned by Meta.
The Fake Meta site
The victims landed on the fake Meta website, which appears to be hosted on Bio sites, a platform for tracking users’ traffic. This website acts as a bridge to the actual phishing website as the “Got to Confirmation Form” button redirects the users.
The final phishing website is hosted on help-copyrightservice[.]com/forms/2394919023, posing as a legitimate Meta Portal Appeal center along with a “Continue” button. Clicking on this button takes the user to the next step and asks for a username and password.
Once the users enter their credentials, it asks whether their two-factor authentication is enabled for the account. If the users click “Yes”, the website asks for the backup code and redirects them to the next page. The final page of this website asks for the user’s email address and phone number.
However, threat actors have continuously enhanced these websites as the UI seems to have changed recently. Furthermore, a complete report about this phishing campaign has been published, providing detailed information about the lure method, website identifications, and other information.
Indicators of Compromise
- hxxps://notifications[.]google[.]com/g/p/ANiao5o1EFnOXe7ZtpiB3GPiSGjA_P9MAahAzZiwf_NPOiblgypFgRvmJNiJE8BYV114DZStcHbGehPWMX3Fv1A-WUMYXzsqasXHSUAXkoE45JCj4i5SxOvwyurHuVlXOgByVR0xRlnsX8-pmOpvVGl2uCjdV3kWjyc2xs2p_585dVP4wfN417eDVprO-jwgU7jtURV-dN6x7ekuU33DHJc7-tN1Pdfhcg
- hxxps://bio[.]site/ignotificationcenters[.]com
- hxxps://bio[.]site/MetaSupportForCenter
- hxxps://bio[.]site/lgsecurited
- hxxps://bio[.]site/mediacenterbussienshelp
- hxxps://bio[.]site/from
- hxxps://help-copyrightservice[.]com/forms/2394919023
- hxxps://metaglobalsecuritys.com/appeal/923759232
- hxxps://mediahelpcenters[.]com/status-notification/-33/
- hxxps://copyrightforappealform[.]com/344742354/
- hxxps://mediacenterbussienshelp[.]ml/
- hxxps://metafacebookcenter[.]com/887133/
.webp "CrowdStrike filed a FORM 8-K to Clarify the Friday’s Update Event"){kind=small}
