Instagram users, pay attention! A scam is rampant on the social network and steals your identifiers and your backup code through a phishing attempt. A way to bypass two-factor authentication…
Social networks are prime targets for cybercriminals. Indeed, a stolen account is very useful to hackers, who can use it to massively spread scams – there is a priori no reason to be suspicious of a link sent by a friend or a competition launched by their favorite influencer – or to have access to valuable personal data, which can in turn be sold on the Dark Web. The simple identification method – username plus password – represents a fairly easy barrier to circumvent. This is why it is recommended to activate two-factor authentication (2FA), which adds additional protection. This second step can be sending an SMS or using a security USB key or a code generated by a third-party application. By the way, if you haven’t already done so, activate it immediately! So even if someone gets your account password, they won’t be able to access it without access to your phone or authenticator app. But hackers have found a way to bypass this additional security measure for Instagram accounts.
Instagram Scam: Get Account Backup Code
As reported Bleeping Computer, cybercriminals have launched a campaign aimed at tricking users into giving out their Instagram account logins and backup codes. As a reminder, this is an eight-digit code given when setting up two-factor authentication, which can be used to regain account access if you cannot verify your account through help of 2FA (change of telephone number, loss of smartphone, etc. However, if a malicious person manages to get hold of this code, they are able to take over the Instagram account using an unrecognized device simply by knowing the target’s credentials.
Victims receive an email purportedly from Meta, the social network’s parent company, reporting copyright infringement complaints against them. As with every phishing message, the message contains a link that they are encouraged to click on in order to appeal the decision, but it redirects them to a page imitating Meta’s breach portal. Subsequently, a second phishing page resembling Meta’s “Appeal Center” portal collects the victim’s username and password, before asking them to to confirm if their account is protected by two-factor authentication. Once confirmed, the target ends up providing the famous backup code.
We find all the usual phishing codes: identity theft, sense of urgency, questionable URL. Classic, but still effective with unsuspecting people. Also, be wary of unexpected emails and don’t click on suspicious links. Take your time to analyze the little details, starting with the sender’s email address and the URL of the link they are trying to get you to click on. Finally, go directly to the official website, without going through the link.