Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

Devious new phishing campaign looks to steal Instagram backup codes and hijack accounts

Instagram application on the smartphone screen.

As Christmas approaches and consumers often let down their guard about online security in their tired and busy states, a new phishing campaign is looking to steal Instagram backup codes to hijack accounts.

Spotted by Trustwave and published just days before the big day, attackers now look to be targeting victims not only for their credentials but also their backup codes.

Backup codes, which can only be used once, are designed to grant users (or attackers) access to their accounts in the event of not being able to use a 2FA code.

The email in question appears to come from Meta, Instagram and Facebook’s parent company, and alerts victims to the (false) fact that their account has infringed some copyrights, instilling a sense of urgency that forces the victim into action.

The email links to an appeal form that must be completed within 12 hours to avoid the threat of permanent account deletion.

Though the branding is reasonably accurate, there are some tell-tale signs, including slightly odd spacing and grammar that you wouldn’t expect from a genuine email.

Trustwave also highlights how important it is to check the domain of any suspicious email before engaging – the domain “contact-helpchannelcopyrights[.]com” does not belong to Meta.

The malicious website, hosted by Squarespace-owned Bio Sites, handily presents a similar theme to the email. The attackers clearly hope that the consistency will throw suspicious would-be victims off the scent.

The site is where the victim shares their credentials and backup codes, granting the attacker full access to their account. 

Fortunately, the overwhelming majority of phishing campaigns all display some key tell-tale signs that they are not genuine. No matter how busy we are, we should always take the time to do these basic checks before parting with any confidential data.

For more information, Trustwave has shared the full details of this particular attack on its website.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.