Be careful, this new phishing campaign is trying to steal your Instagram password

Hackers launched a deceptive campaign aimed at tricking users into giving up their Instagram account login information and backup codes. It compromises the security offered by two-factor authentication (2FA).

Two-factor authentication is an important layer of security that requires an additional form of verification when logging in. Instagram typically generates eight-digit backup codes for users who have set up two-factor authentication. An alternative way to access the account if primary authentication methods fail.

The same pattern has been used multiple times, including against Facebook users, facilitating infection chains for LockBit ransomware and BazaLoader malware, among others. Note that the dreaded LockBit ransomware is now targeting more users worldwide.

  • Users are sent an email warning them of copyright infringement and asked to appeal the decision.
  • By clicking the search button, users are redirected to a phishing site that mimics the Meta breach portal.
  • Users are then directed to a second phishing page, similar to Meta’s “Dispute Center” portal, where they are asked to enter their username and password.
  • Once the phishing site receives their account credentials, it asks users to verify whether their account is protected by 2FA.
  • Once approved, users have to provide the 8-digit backup code, which is an essential part of bypassing 2FA.

Despite obvious signs of fraud in the campaign, such as suspicious sender addresses and phishing page URLs, Attackers rely on the urgency aspect of the email to make it effective against unsuspecting targets.

It is therefore important for users to be alert and wary of unexpected emails, especially those claiming copyright infringement. Official communications regarding these topics generally occur within the platform rather than via email. Therefore we can only remind you that: Avoid clicking suspicious links and never disclose sensitive information such as passwords or backup codes outside of the official Instagram site or app.

Remember that backup codes are confidential and should be treated with the same level of confidentiality as passwords. Sharing these codes in response to spam or on unverified websites may result in you losing access to your account. Fortunately, companies like BitDefender are already working on artificial intelligence that can detect common online scams in seconds.

In relation :  Galaxy S8 vs Galaxy S7: What Buyers Need to Know