Recently, we noticed another strain of Instagram “Copyright Infringement” phishing emails in our spam traps. In this version, in addition to targeting Instagram credentials, the cybercriminals also aim to obtain the victim’s Instagram backup codes. This campaign is an enhanced version of what we reported on the SpiderLabs blog titled “Insta-Phish-A-Gram”.
Our recent finding follows the same theme, with the phishers now collecting a new type of user information, which at that time was the phone number.
If two-factor authentication is enabled, Instagram allows its users to log in to their account with an unrecognized device by requiring a code. . If the device or email is no longer accessible the user’s backup codes can be used. Backup codes consist of five 8-digit numbers. Each code can be used once, and the entire list can be regenerated whenever the user logs into the Instagram account.
Figure 1: Instagram's backup codes
The Initial Vector
The email, which claims to be from Instagram’s parent company, Meta, insinuates that the recipient’s Instagram account infringed copyrights. The attacker attempts to create a sense of urgency with the message that an appeal must be filed within 12 hours by clicking the “appeal form” button in the email, or else the account will be permanently deleted. Once the user clicks on the button, they are redirected to a fake Meta site.
Figure 2: Instagram copyright infringement themed phishing email which contains a Google notification link
On closer examination of the email, the following suspicious elements are apparent:
- the sender’s domain “contact-helpchannelcopyrights[.]com” does not belong to Meta or Instagram
- the appeal button is labelled “Go to appeal form” but referred to in the preceding text as “Go to Form”
- the appeal form button links to a Google Notification URL
Fake Meta Sites
When the user clicks on the appeal form button in the email they will be redirected to a site hosted on Bio Sites, a platform from Squarespace that offers a few quick and easy creation of a one-page website. Users can track the traffic on their Bio Sites webpages and monetize their digital content.
Figure 3: Both fake Meta sites; the site on the left redirects to the actual phishing site which is the page on the right
The site bio[.]site/ignotificationcenters[.]com is masquerading as Meta’s central portal for violations and echoes the theme in the phishing email. This site serves as the bridge to the actual phishing website to which the user is redirected if they click the button “Go to Confirmation Form (Confirm My Account)”.
The phishing site help-copyrightservice[.]com/forms/2394919023, which poses as a fake Meta “Appeal Center” portal, is hosted on a newly created domain. Once the user clicks the “CONTINUE” button, a series of prompts asks for specific user information. Every time the user clicks continue, data is sent to the spammers. The phishing site only validates the input box if it’s empty.
Figure 4: The phishing pages where the username and password are retrieved.
The first pieces of information requests from the user are the username and password. The password is requested twice, perhaps hoping the user will submit another often-used password. After providing the passwords, the user is asked if two-factor authentication is enabled on the Instagram account.
Figure 5: Phishing pages where two-factor authentication and backup codes are asked for.
A bogus two-step security verification confirmation page is displayed next. If the user confirms by clicking the “YES” button, this is when a backup code is requested. Finally, the last page is shown, and this is where the user’s email address and phone number are collected.
Figure 6: The final page - where the email address and phone number are collected
Other Meta Fake Sites on Bio.site
While conducting this research, we came across other fake Meta sites hosted on Bio Sites. The phishing sites these redirected to, however, are no longer active.
Figure 7: Other fake Meta sites on Bio Sites
Also, we re-accessed the site hxxp://bio[.]site/ignotificationcenters[.]com on figure 3 and the UI has been updated. The redirection was changed as well. These suggest that the cybercriminals behind this phishing are continuously improving their lure.
Figure 8: The webpage on left side is the updated version of the Bio Sites page shown in figure 3 and this leads to a different fake Meta site
Summary
There are so many ways to log in to Instagram now and cybercriminals are taking advantage of this fact. In the scenario we just described, the threat actors have added the user’s backup codes to the list of data that they want to steal.
The data attackers retrieve from this kind of phishing attack can be sold underground or used to take over the account. To prevent this from happening, do not share passwords or codes, and be cautious about how this data is stored. If compromised, change the password or regenerate new backup codes immediately.
When we Look back at the redirection chain we can see the phishers using yet another free web provider, Bio Sites, to host initial phishing content that directs users elsewhere. As always, users need to be extra vigilant when clicking on links, especially because a website from this kind of platform is expected to host external links.
Trustwave MailMarshal provides protection against this phishing email.
IOC
hxxps://notifications[.]google[.]com/g/p/ANiao5o1EFnOXe7ZtpiB3GPiSGjA_P9MAahAzZiwf_NPOiblgypFgRvmJNiJE8BYV114DZStcHbGehPWMX3Fv1A-WUMYXzsqasXHSUAXkoE45JCj4i5SxOvwyurHuVlXOgByVR0xRlnsX8-pmOpvVGl2uCjdV3kWjyc2xs2p_585dVP4wfN417eDVprO-jwgU7jtURV-dN6x7ekuU33DHJc7-tN1Pdfhcg
hxxps://bio[.]site/ignotificationcenters[.]com
hxxps://bio[.]site/MetaSupportForCenter
hxxps://bio[.]site/lgsecurited
hxxps://bio[.]site/mediacenterbussienshelp
hxxps://bio[.]site/from
hxxps://help-copyrightservice[.]com/forms/2394919023
hxxps://metaglobalsecuritys.com/appeal/923759232
hxxps://mediahelpcenters[.]com/status-notification/-33/
hxxps://copyrightforappealform[.]com/344742354/
hxxps://mediacenterbussienshelp[.]ml/
hxxps://metafacebookcenter[.]com/887133/
