Phishing Campaign Targets Instagram Users, Steals Backup Codes and Circumvent 2FA Protection

A recent phishing scheme has emerged, posing as a 'copyright infringement' email to deceive Instagram users and pilfer their backup codes.
These codes, integral for the recovery of accounts, are used to circumvent the two-factor authentication safeguarding users' accounts.
Two-factor authentication is a security layer demanding an extra form of verification during login.
This commonly involves one-time passcodes sent via SMS, codes from authentication apps, or hardware security keys.
Employing 2FA is crucial in shielding accounts in the event of compromised credentials, requiring a threat actor to access the user's mobile device or email to gain entry.
Instagram, when enabling 2FA, provides eight-digit backup codes as a fail-safe for scenarios like changing phone numbers, losing a device, or email access.
These backup codes pose a risk if obtained by malicious actors, enabling them to seize Instagram accounts using unauthorized devices by exploiting the user's credentials, acquired through phishing or unrelated data breaches.
The phishing tactic involves sending messages alleging copyright infringement, claiming the user violated intellectual property laws, resulting in account restrictions.
Users are then prompted to click a button to appeal, leading them to phishing pages where they unwittingly provide account credentials and other information.
Trustwave analysts discovered the latest iteration of this attack, where phishing emails mimic Meta, Instagram's parent company.
The deceptive email warns users of copyright infringement complaints and urges them to fill out an appeal form to address the issue.
Clicking on the provided button redirects the victim to a fake Meta violations portal, where they are prompted to click another button, purportedly for confirming their account.
After acquiring these details, the phishing site requests confirmation of 2FA protection and, upon affirmation, demands the 8-digit backup code.
Despite identifiable signs of fraud, such as misleading sender addresses and URLs, the convincing design and urgency of the phishing pages could still deceive a significant number of targets into divulging their account credentials and backup codes.
The importance of safeguarding backup codes is emphasized, with users advised to treat them with the same level of confidentiality as passwords.
It is emphasized that there is never a legitimate reason to enter backup codes anywhere other than the official Instagram website or app, as a precaution against falling victim to such phishing campaigns.


This Cyber News was published on www.cysecurity.news. Publication date: Thu, 21 Dec 2023 17:13:05 +0000


Cyber News related to Phishing Campaign Targets Instagram Users, Steals Backup Codes and Circumvent 2FA Protection

New phishing attack steals your Instagram backup codes to bypass 2FA - A new phishing campaign pretending to be a 'copyright infringement' email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account. Two-factor authentication is a ...
10 months ago Bleepingcomputer.com
Phishing Campaign Targets Instagram Users, Steals Backup Codes and Circumvent 2FA Protection - A recent phishing scheme has emerged, posing as a 'copyright infringement' email to deceive Instagram users and pilfer their backup codes. These codes, integral for the recovery of accounts, are used to circumvent the two-factor authentication ...
10 months ago Cysecurity.news
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
New Instagram Phishing Attack Steals 2FA backup Codes - A new phishing campaign targeting Instagram users has been discovered, which uses several different techniques to lure victims into phishing websites and steal Instagram's two-factor backup codes. Instagram backup codes are five eight-digit codes ...
10 months ago Cybersecuritynews.com
How to Know If Someone Screengrabs Your Instagram Story? - Instagram doesn't inform its users when their Story or Reel has been screengrabbed - no matter whether they have millions of followers or just an everyday account - which means their content could go unnoticed if it gets screengrabbed. Once again, ...
10 months ago Hackercombat.com
Payoneer accounts in Argentina hacked in 2FA bypass attacks - Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping. Payoneer is a financial services platform providing online money ...
9 months ago Bleepingcomputer.com
GitHub warns users to enable 2FA before upcoming deadline - GitHub is warning users that they will soon have limited functionality on the site if they do not enable two-factor authentication on their accounts. In emails sent to GitHub users on Christmas Eve, the company warned that all users contributing code ...
10 months ago Bleepingcomputer.com
MFA vs 2FA: Which Is Best for Your Business? - If a user falls for a phishing scam and their credentials are compromised, multi-factor authentication or two-factor authentication provide an additional safeguard against a breach. MFA uses authentication factors such as a pin, an SMS code, an ...
7 months ago Techrepublic.com
How to Temporarily Deactivate Instagram? - Instagram is an amazing social platform where you can stay in touch with your friends and influencers, but sometimes it can be too much. If Instagram has become too distracting or overwhelming for you to use effectively-whether for mental peace, ...
10 months ago Hackercombat.com
Spear Phishing vs Phishing: What Are The Main Differences? - Almost half of them used phishing to obtain the passwords of users. Highly targeted phishing campaigns against specific individuals or types of individuals are known as spear phishing. It's important to be able to spot phishing in general. For ...
9 months ago Techrepublic.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
"Quishing" you a Happy Holiday Season - QR Code phishing scams - What they are and how to avoid them. Originally invented to keep track of car parts in the early 90s, QR codes have been around for decades. Quishing, or QR Code phishing, exploits smartphone users scanning the 2D barcode, ...
10 months ago Netcraft.com
Top Characteristics of a QR Code Phishing Email - As campaigns using QR codes grow in size and complexity it is important to track not just the QR codes themselves, but also the context of the emails delivering the QR codes. Others use images embedded in the email or QR codes rendered from external ...
11 months ago Securityboulevard.com
Twilio will ditch its Authy desktop 2FA app in August, goes mobile only - The Authy desktop apps for Windows, macOS, and Linux will be discontinued in August 2024, with the company recommending users switch to a mobile version of the two-factor authentication app. Authy is an authenticator app that allows users to set up ...
9 months ago Bleepingcomputer.com
Flipping the BEC funnel: Phishing in the age of GenAI - For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic email and fire it out to thousands of recipients in the hope that a few might take the bait. Common among these new techniques was a shift towards ...
9 months ago Helpnetsecurity.com
Here's How To Steer Clear Of QR Code Hacking - QR codes, present for years and widely embraced during COVID-19, offer great benefits. Cybercriminals exploit them, creating malicious QR codes to unlawfully access your personal and financial data. These tampered codes pose a threat, potentially ...
9 months ago Cysecurity.news
Combat Phishing Attacks With AI-Powered Threat Protection - According to statistics, 81% of organizations have seen an increase in phishing emails since 2020, with an estimated 3.4 billion emails sent every day. AI-generated phishing emails are a sophisticated and evolving cybersecurity threat. ...
9 months ago Gbhackers.com
Mandiant says X account brute forced without 2FA protection The Register - Well, Mandiant's carefully worded response basically said it wasn't implemented. It didn't specifically point to the policy change X announced in February 2023, which was to disable SMS-based 2FA for users who didn't pay for Twitter Blue, but some ...
9 months ago Go.theregister.com
Watch out for "I can't believe he is gone" Facebook phishing posts - This phishing attack is ongoing and widely spread on Facebook through friend's hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform. As the posts come from your friends' ...
9 months ago Bleepingcomputer.com
Russian Cyberattackers Launch Multiphase PsyOps Campaign - Russia-linked threat actors employed both PysOps and spear-phishing to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe. The ...
8 months ago Darkreading.com
QR Codes Used in 22% of Phishing Attacks - The Hoxhunt Challenge has unveiled alarming trends in employee susceptibility to phishing attacks, emphasizing the critical role of engagement in reducing human risk. The study, published today and conducted in 38 organizations across nine industries ...
11 months ago Infosecurity-magazine.com
QR Code 'Quishing' Attacks on Execs Surge, Evading Email Security - Email attacks relying on QR codes surged in the last quarter, with attackers specifically targeting corporate executives and managers, reinforcing recommendations that companies place additional digital protections around their business leadership. ...
8 months ago Darkreading.com
Phishing Campaign Exploits Open Redirection Vulnerability In 'Indeed.com' - Phishing remains one of the most prevalent challenges facing organisations, with more than three billion malicious emails estimated to be sent around the world every day. Owing to the prevalence of the problem, Verizon's 2023 Data Breach ...
7 months ago Cyberdefensemagazine.com
Business Data Backup and Recovery Planning - Data backup and recovery planning is essential in today's interconnected and data-driven business landscape. By understanding the significance of data backup and recovery planning, businesses can effectively protect their critical information and ...
8 months ago Securityzap.com
How to Scan a QR Code On iPhone - The iPhone offers multiple ways of scanning QR codes, but the quickest and easiest method is using its built-in camera app. Open your camera app and point at a QR code; a notification will appear in the lower-right corner of the screen. Follow the QR ...
10 months ago Hackercombat.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)