Fri. Jun 5th, 2020

Instagram Phishing Campaign Uses Two-Factor Authentication as Bait

Researchers at security firm Sophos warn about a new Instagram phishing scam that uses two-factor authentication to lure potential victims into handing over sensitive information, Bleeping Computer reports.


The malicious actors behind the scam use fake Instagram login alerts stating that someone attempted to log in to the target’s account. Then they ask the target to confirm their identity via a fraudulent sign-in page linked within the message.


In a blog post, Paul Ducklin from Sophos said, “apart from a few punctuation errors and the missing space before the word ‘Please,’ this message is clean, clear and low-key enough not to raise instant alarm bells.


Even more, to appear like a legitimate Instagram alert, the threat actors also include a second authentication “code” for identity confirmation.


“The use of what looks like a 2FA code is a neat touch: the implication is that you aren’t going to need to use a password, but instead simply to confirm that the email reached you,” Ducklin adds.


Also worth noting, the fraudulent sign-in landing page is perfectly designed to look like the official Instagram login page — secured with a valid HTTPS certificate and displaying a green padlock.


But one downside to the website is that it does not display the domain in the web browser’s address bar. Instead, the phishers use a .CF domain (the country code top-level domain for the Central African Republic).


“If we had to guess, we’d suggest that the crooks didn’t get quite as believable a name as they wanted because they went for a free domain name,” explains Ducklin.


So, how can you protect yourself from this scam?


“To avoid falling for an Instagram phishing scam like this one, you should never enter your sign-in credentials if the page asking you to log in does not belong to the web site.”