Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Instagram Phishing Targets Backup Codes

Recently, we noticed another strain of Instagram “Copyright Infringement” phishing emails in our spam traps. In this version, in addition to targeting Instagram credentials, the cybercriminals also aim to obtain the victim’s Instagram backup codes. This campaign is an enhanced version of what we reported on the SpiderLabs blog titled “Insta-Phish-A-Gram”.

Our recent finding follows the same theme, with the phishers now collecting a new type of user information, which at that time was the phone number.

If two-factor authentication is enabled, Instagram allows its users to log in to their account with an unrecognized device by requiring a code. . If the device or email is no longer accessible the user’s backup codes can be used. Backup codes consist of five 8-digit numbers. Each code can be used once, and the entire list can be regenerated whenever the user logs into the Instagram account.

 

Instagram-Phishing-1Figure 1: Instagram's backup codes

 

The Initial Vector

The email, which claims to be from Instagram’s parent company, Meta, insinuates that the recipient’s Instagram account infringed copyrights. The attacker attempts to create a sense of urgency with the message that an appeal must be filed within 12 hours by clicking the “appeal form” button in the email, or else the account will be permanently deleted. Once the user clicks on the button, they are redirected to a fake Meta site.

  

Instagram-Phishing-2Figure 2: Instagram copyright infringement themed phishing email which contains a Google notification link

On closer examination of the email, the following suspicious elements are apparent:

  • the sender’s domain “contact-helpchannelcopyrights[.]com” does not belong to Meta or Instagram
  • the appeal button is labelled “Go to appeal form” but referred to in the preceding text as “Go to Form”
  • the appeal form button links to a Google Notification URL

 

Fake Meta Sites

When the user clicks on the appeal form button in the email they will be redirected to a site hosted on Bio Sites, a platform from Squarespace that offers a few quick and easy creation of a one-page website. Users can track the traffic on their Bio Sites webpages and monetize their digital content.

 

Instagram-Phishing-3Figure 3: Both fake Meta sites; the site on the left redirects to the actual phishing site which is the page on the right

 

The site bio[.]site/ignotificationcenters[.]com is masquerading as Meta’s central portal for violations and echoes the theme in the phishing email. This site serves as the bridge to the actual phishing website to which the user is redirected if they click the button “Go to Confirmation Form (Confirm My Account)”.

The phishing site help-copyrightservice[.]com/forms/2394919023, which poses as a fake Meta “Appeal Center” portal, is hosted on a newly created domain. Once the user clicks the “CONTINUE” button, a series of prompts asks for specific user information. Every time the user clicks continue, data is sent to the spammers. The phishing site only validates the input box if it’s empty.

 

Instagram-Phishing-4Figure 4: The phishing pages where the username and password are retrieved.

 

The first pieces of information requests from the user are the username and password. The password is requested twice, perhaps hoping the user will submit another often-used password. After providing the passwords, the user is asked if two-factor authentication is enabled on the Instagram account.

 

Instagram-Phishing-5Figure 5: Phishing pages where two-factor authentication and backup codes are asked for.

 

A bogus two-step security verification confirmation page is displayed next. If the user confirms by clicking the “YES” button, this is when a backup code is requested. Finally, the last page is shown, and this is where the user’s email address and phone number are collected.

 

Instagram-Phishing-6Figure 6: The final page - where the email address and phone number are collected

 

Other Meta Fake Sites on Bio.site

While conducting this research, we came across other fake Meta sites hosted on Bio Sites. The phishing sites these redirected to, however, are no longer active.

 

Instagram-Phishing-7Figure 7: Other fake Meta sites on Bio Sites

 

Also, we re-accessed the site hxxp://bio[.]site/ignotificationcenters[.]com on figure 3 and the UI has been updated. The redirection was changed as well. These suggest that the cybercriminals behind this phishing are continuously improving their lure.

 

Instagram-Phishing-8Figure 8: The webpage on left side is the updated version of the Bio Sites page shown in figure 3 and this leads to a different fake Meta site

 

Summary

There are so many ways to log in to Instagram now and cybercriminals are taking advantage of this fact. In the scenario we just described, the threat actors have added the user’s backup codes to the list of data that they want to steal.

The data attackers retrieve from this kind of phishing attack can be sold underground or used to take over the account. To prevent this from happening, do not share passwords or codes, and be cautious about how this data is stored. If compromised, change the password or regenerate new backup codes immediately.

When we Look back at the redirection chain we can see the phishers using yet another free web provider, Bio Sites, to host initial phishing content that directs users elsewhere. As always, users need to be extra vigilant when clicking on links, especially because a website from this kind of platform is expected to host external links.

Trustwave MailMarshal provides protection against this phishing email.

 

IOC

hxxps://notifications[.]google[.]com/g/p/ANiao5o1EFnOXe7ZtpiB3GPiSGjA_P9MAahAzZiwf_NPOiblgypFgRvmJNiJE8BYV114DZStcHbGehPWMX3Fv1A-WUMYXzsqasXHSUAXkoE45JCj4i5SxOvwyurHuVlXOgByVR0xRlnsX8-pmOpvVGl2uCjdV3kWjyc2xs2p_585dVP4wfN417eDVprO-jwgU7jtURV-dN6x7ekuU33DHJc7-tN1Pdfhcg

 

hxxps://bio[.]site/ignotificationcenters[.]com

hxxps://bio[.]site/MetaSupportForCenter

hxxps://bio[.]site/lgsecurited

hxxps://bio[.]site/mediacenterbussienshelp

hxxps://bio[.]site/from

 

hxxps://help-copyrightservice[.]com/forms/2394919023

hxxps://metaglobalsecuritys.com/appeal/923759232

hxxps://mediahelpcenters[.]com/status-notification/-33/

hxxps://copyrightforappealform[.]com/344742354/

hxxps://mediacenterbussienshelp[.]ml/

hxxps://metafacebookcenter[.]com/887133/

Latest SpiderLabs Blogs

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More

Tips for Optimizing Your Security Operations Framework

Building an effective Security Operations framework that provides the right balance of people, processes, and technologies can take years.

Read More