Instagram2FA.png

Scam of the Week: New Instagram phishing scam tricks users with fake 2FA codes

Instagram users have become a popular target for phishing scams but in a devious new twist, attackers are using the lure of two-factor authentication (2FA) to trick victims into entering their login credentials.

The fraudulent email informs the user that there has been an unauthorised login attempt on their account and that in order to prove their identity, they should enter their details on what appears to be an official Instagram login page.

To add further legitimacy to their scam, the crooks have included a six-digit code that must be entered when the user logs in to validate their account. Two-factor authentication provides an extra layer of security on an account as a second piece of information is required to confirm the user’s identity.

The sneaky addition of what appears to be an official 2FA code will be enough to dupe many users into falling for the scam. If the user clicks on the link, they are directed to a .cf domain that appears almost identical to the real Instagram login page.

The site also comes complete with a valid HTTPS certificate and a green padlock, another cunning way to trick the user into thinking they are on a safe and secure site.

Image: Real Instagram Login page compared to the fake page (Source: Naked Security)

Real Instagram login page vs fake

Despite appearing entirely legitimate, there are some red flags that should immediately alert the user that all is not as it seems. Instead of displaying the official Instagram.com domain in the web browser’s address bar, the crooks use a .CF domain from the Central African Republic. These domains are cheap and easily available which makes them a huge draw to hackers. There are also a few minor punctuation and spelling errors upon closer inspection of the email.

With 1 billion users worldwide, Instagram has become a rich hunting ground for phishing attacks. Within the space of six months, we've had the 'Nasty List scam', 'Hot List scam', 'verified badges scam' and the more recent Rayban Phishing scam that tricked users with the lure of cheap sunglasses.

It’s become apparent that as we become more knowledgeable about traditional phishing scams, attackers have had to evolve and become more sophisticated in their approach to scamming us. This is evident as 58% of phishing sites now feature HTTPS certificates and green padlocks. This was always used as a benchmark to indicate a safe and secure site, but unfortunately, users cannot solely rely on this method as a way to confirm a site’s authenticity.

To avoid being phished on Instagram, users should never click on a sign-in link received via email, always check for an unexpected domain name, and ignore emails that are threatening or urgent in nature. If you are concerned your account has been compromised, go directly to the Instagram support pages for further advice.

Phishing is the number one cause of all cyber-attacks and continues to prove one of the easiest ways to steal valuable data and deliver malware. MetaPhish has been created to provide a powerful defence against these threats and enables organisations to find out just how susceptible their company is to attack. If you would like to find out more about how MetaPhish can be used to protect your business, then get in touch for further information.