As Christmas approaches and consumers often let down their guard about online security in their tired and busy states, a new phishing campaign is looking to steal Instagram backup codes to hijack accounts.
Spotted by Trustwave and published just days before the big day, attackers now look to be targeting victims not only for their credentials but also their backup codes.
Backup codes, which can only be used once, are designed to grant users (or attackers) access to their accounts in the event of not being able to use a 2FA code.
Watch out for this Instagram ‘copyright’ phishing email
The email in question appears to come from Meta, Instagram and Facebook’s parent company, and alerts victims to the (false) fact that their account has infringed some copyrights, instilling a sense of urgency that forces the victim into action.
The email links to an appeal form that must be completed within 12 hours to avoid the threat of permanent account deletion.
Though the branding is reasonably accurate, there are some tell-tale signs, including slightly odd spacing and grammar that you wouldn’t expect from a genuine email.
Trustwave also highlights how important it is to check the domain of any suspicious email before engaging – the domain “contact-helpchannelcopyrights[.]com” does not belong to Meta.
The malicious website, hosted by Squarespace-owned Bio Sites, handily presents a similar theme to the email. The attackers clearly hope that the consistency will throw suspicious would-be victims off the scent.
The site is where the victim shares their credentials and backup codes, granting the attacker full access to their account.
Fortunately, the overwhelming majority of phishing campaigns all display some key tell-tale signs that they are not genuine. No matter how busy we are, we should always take the time to do these basic checks before parting with any confidential data.
For more information, Trustwave has shared the full details of this particular attack on its website.