Devious new phishing campaign looks to steal Instagram backup codes and hijack accounts

Backup codes, which can only be used once, are designed to grant users (or attackers) access to their accounts in the event of not being able to use a 2FA code.

Watch out for this Instagram 'copyright' phishing email

The email in question appears to come from Meta, Instagram and Facebook’s parent company, and alerts victims to the (false) fact that their account has infringed some copyrights, instilling a sense of urgency that forces the victim into action.

The email links to an appeal form that must be completed within 12 hours to avoid the threat of permanent account deletion.

Though the branding is reasonably accurate, there are some tell-tale signs, including slightly odd spacing and grammar that you wouldn’t expect from a genuine email.

Trustwave also highlights how important it is to check the domain of any suspicious email before engaging – the domain “contact-helpchannelcopyrights[.]com” does not belong to Meta.

The malicious website, hosted by Squarespace-owned Bio Sites, handily presents a similar theme to the email. The attackers clearly hope that the consistency will throw suspicious would-be victims off the scent.

The site is where the victim shares their credentials and backup codes, granting the attacker full access to their account. 

Fortunately, the overwhelming majority of phishing campaigns all display some key tell-tale signs that they are not genuine. No matter how busy we are, we should always take the time to do these basic checks before parting with any confidential data.

For more information, Trustwave has shared the full details of this particular attack on its website.

More from TechRadar Pro

• Worried you’ve been hacked? Here’s the best identity theft protection
• Boost your cybersecurity with the best firewalls and best endpoint protection
• This sneaky malware hijacks Google Forms to demand money in nasty phishing scheme