New phishing attack steals your Instagram backup codes to bypass 2FA

A new phishing campaign pretending to be a 'copyright infringement' email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account.
Two-factor authentication is a security feature that requires users to enter an additional form of verification when logging into the account.
This verification is usually in the form of one-time passcodes sent via SMS text message, codes from an authentication app, or through hardware security keys.
Using 2FA helps protect your accounts if your credentials are stolen or purchased from a cybercrime marketplace, as the threat actor would need access to your mobile device or email to log into your protected account.
When configuring two-factor authentication on Instagram, the site will also provide eight-digit backup codes that can be used to regain access to accounts if you cannot verify your account using 2FA. This could happen for multiple reasons, such as switching your mobile number, losing your phone, and losing access to your email account.
Backup codes come with some risk, as if a threat actor can steal those codes, they can hijack Instagram accounts using unrecognized devices simply by knowing the target's credentials, which can be stolen through phishing or found in unrelated data breaches.
Copyright infringement phishing messages claim the recipient has posted something that violates intellectual property protection laws, and hence, their account has been restricted.
Recipients of these messages are urged to click a button to appeal the decision, which redirects them to phishing pages where they enter their account credentials and other details.
The latest variant of these attacks was spotted by Trustwave analysts, who report that the increasing adoption rate of 2FA protection pushes phishing actors to broaden their targeting scope.
The latest phishing emails impersonate Meta, Instagram's parent company, warning that Instagram users received copyright infringement complaints.
The email then prompts the user to fill out an appeal form to resolve the issue.
After siphoning these details, the phishing site asks the target if their account is protected by 2FA and, upon confirmation, requests the 8-digit backup code.
Despite the campaign being characterized by multiple signs of fraud, like the sender's address, the redirection page, and phishing page URLs, the convincing design and sense of urgency could still trick a significant percentage of targets into giving away their account credentials and backup codes.
Backup codes are meant to be kept private and stored securely.
Account holders should treat them with the same level of secrecy as their passwords and refrain from entering them anywhere unless necessary for accessing their accounts.
If you still have access to your 2FA codes/keys, there's never a reason to enter your backup codes anywhere other than within the Instagram website or app.
New Web injections campaign steals banking data from 50,000 people.
BazarCall attacks abuse Google Forms to legitimize phishing emails.
WordPress hosting service Kinsta targeted by Google phishing ads.
Qbot malware returns in campaign targeting hospitality industry.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 20 Dec 2023 19:40:10 +0000


Cyber News related to New phishing attack steals your Instagram backup codes to bypass 2FA

New phishing attack steals your Instagram backup codes to bypass 2FA - A new phishing campaign pretending to be a 'copyright infringement' email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account. Two-factor authentication is a ...
1 year ago Bleepingcomputer.com
Phishing Campaign Targets Instagram Users, Steals Backup Codes and Circumvent 2FA Protection - A recent phishing scheme has emerged, posing as a 'copyright infringement' email to deceive Instagram users and pilfer their backup codes. These codes, integral for the recovery of accounts, are used to circumvent the two-factor authentication ...
1 year ago Cysecurity.news
How to Temporarily Deactivate Instagram? - Instagram is an amazing social platform where you can stay in touch with your friends and influencers, but sometimes it can be too much. If Instagram has become too distracting or overwhelming for you to use effectively-whether for mental peace, ...
1 year ago Hackercombat.com
How to Know If Someone Screengrabs Your Instagram Story? - Instagram doesn't inform its users when their Story or Reel has been screengrabbed - no matter whether they have millions of followers or just an everyday account - which means their content could go unnoticed if it gets screengrabbed. Once again, ...
1 year ago Hackercombat.com
GitHub warns users to enable 2FA before upcoming deadline - GitHub is warning users that they will soon have limited functionality on the site if they do not enable two-factor authentication on their accounts. In emails sent to GitHub users on Christmas Eve, the company warned that all users contributing code ...
11 months ago Bleepingcomputer.com
New Instagram Phishing Attack Steals 2FA backup Codes - A new phishing campaign targeting Instagram users has been discovered, which uses several different techniques to lure victims into phishing websites and steal Instagram's two-factor backup codes. Instagram backup codes are five eight-digit codes ...
1 year ago Cybersecuritynews.com
Payoneer accounts in Argentina hacked in 2FA bypass attacks - Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping. Payoneer is a financial services platform providing online money ...
11 months ago Bleepingcomputer.com
MFA vs 2FA: Which Is Best for Your Business? - If a user falls for a phishing scam and their credentials are compromised, multi-factor authentication or two-factor authentication provide an additional safeguard against a breach. MFA uses authentication factors such as a pin, an SMS code, an ...
9 months ago Techrepublic.com
"Quishing" you a Happy Holiday Season - QR Code phishing scams - What they are and how to avoid them. Originally invented to keep track of car parts in the early 90s, QR codes have been around for decades. Quishing, or QR Code phishing, exploits smartphone users scanning the 2D barcode, ...
1 year ago Netcraft.com
Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
10 months ago Techrepublic.com
Twilio will ditch its Authy desktop 2FA app in August, goes mobile only - The Authy desktop apps for Windows, macOS, and Linux will be discontinued in August 2024, with the company recommending users switch to a mobile version of the two-factor authentication app. Authy is an authenticator app that allows users to set up ...
11 months ago Bleepingcomputer.com
A Cybersecurity Risk Assessment Guide for Leaders - Now more than ever, keeping your cyber risk in check is crucial. In the first half of 2022's Cyber Risk Index, 85% of the survey's 4,100 global respondents said it's somewhat to very likely they will experience a cyber attack in the next 12 months. ...
1 year ago Trendmicro.com
Top Characteristics of a QR Code Phishing Email - As campaigns using QR codes grow in size and complexity it is important to track not just the QR codes themselves, but also the context of the emails delivering the QR codes. Others use images embedded in the email or QR codes rendered from external ...
1 year ago Securityboulevard.com
How to Scan a QR Code On iPhone - The iPhone offers multiple ways of scanning QR codes, but the quickest and easiest method is using its built-in camera app. Open your camera app and point at a QR code; a notification will appear in the lower-right corner of the screen. Follow the QR ...
1 year ago Hackercombat.com
Here's How To Steer Clear Of QR Code Hacking - QR codes, present for years and widely embraced during COVID-19, offer great benefits. Cybercriminals exploit them, creating malicious QR codes to unlawfully access your personal and financial data. These tampered codes pose a threat, potentially ...
11 months ago Cysecurity.news
Mandiant says X account brute forced without 2FA protection The Register - Well, Mandiant's carefully worded response basically said it wasn't implemented. It didn't specifically point to the policy change X announced in February 2023, which was to disable SMS-based 2FA for users who didn't pay for Twitter Blue, but some ...
11 months ago Go.theregister.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
QR Codes Used in 22% of Phishing Attacks - The Hoxhunt Challenge has unveiled alarming trends in employee susceptibility to phishing attacks, emphasizing the critical role of engagement in reducing human risk. The study, published today and conducted in 38 organizations across nine industries ...
1 year ago Infosecurity-magazine.com
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
1 year ago Trendmicro.com
Flipping the BEC funnel: Phishing in the age of GenAI - For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic email and fire it out to thousands of recipients in the hope that a few might take the bait. Common among these new techniques was a shift towards ...
11 months ago Helpnetsecurity.com
Watch out for "I can't believe he is gone" Facebook phishing posts - This phishing attack is ongoing and widely spread on Facebook through friend's hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform. As the posts come from your friends' ...
11 months ago Bleepingcomputer.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
2 months ago Aws.amazon.com
New ResumeLooters Gang Targets Job Seekers, Steals Millions of Resumes - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
10 months ago Hackread.com
New Rust-Based macOS Backdoor Steals Files, Linked to Ransomware Groups - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
10 months ago Hackread.com
New Malware "BunnyLoader 3.0" Steals Credentials and Crypto - Advertising presented to you on this service can be based on limited data, such as the website or app you are using, your non-precise location, your device type or which content you are interacting with. Information about your activity on this ...
9 months ago Hackread.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)