New phishing attack steals your Instagram backup codes to bypass 2FA

Subject : New phishing attack steals your Instagram backup codes to bypass 2FA

Date : 2023-12-20

Information

  Two-factor authentication (2FA) is a security system that requires two distinct forms of identification in order to access something.

  Two-factor authentication can be used to strengthen the security of an online account, a smartphone, or even a door. 2FA does this by requiring two types of information from the user—a password or personal identification number (PIN), a code sent to the user's smartphone (called a message authentication code), or a fingerprint—before whatever is being secured can be accessed.

Figure 1 : Two-factor authentication (2FA)

Incident 

   Cybersecurity solutions giant Trustwave pointed out that a new phishing campaign uses emails posing as Instagram’s parent company, Meta, claiming the recipient’s account is “infringing copyrights.” The attacker also creates a sense of urgency with a message that notes an appeal must be submitted within 12 hours or else the account will be permanently deleted.

   Here’s how it works…

Figure 2 : Portal page of Meta

 Clicking the “Go to appeal form” link redirects the user to an initial phishing site that impersonates Meta’s actual portal for violation appeals. It’s hosted on Bio Sites, Squarespace’s quick-setup landing page platform. This, in combination with a Google notifications link, is presumably to help avoid detection from inbox spam tools and track link clicks.

Figure 3 : Meta fake website

If a user proceeds by clicking the “Go to Confirmation Form (Confirm My Account),” it will redirect to another bogus Meta site, this time to collect account details. The first pieces of information requested from the user are the username and password (twice for whatever reason). After providing login credentials, the user is asked if the account has 2FA enabled.

  Clicking the “YES” button asks for one of the user’s five generated Instagram backup codes. While it’s already possible to seize the account, the last screen prompts for the user’s email address and phone number.

Figure 4 : Malicious websites trick users into entering personal information.

Email continues to be the most common vector for cybercrime and phishing attacks. It’s essential to stay educated on ways to help you identify and avoid malicious emails.

  The most suspicious elements here were the sender’s email (“contact-helpchannelcopyrights[.]com”), which isn’t affiliated with Meta, as well as the Google notifications URL in the appeal form button.

Solution

1.If you still have access to your 2FA codes/keys, there's never a reason to enter your backup codes anywhere other than within the Instagram website or app.

2.If you believe you’ve been compromised, immediately change your password and regenerate new backup codes. This can be done on Instagram by going to Settings and privacy > Accounts Center > Password and security > Two-factor authentication > [Your Instagram account] > Additional methods > Backup codes > Get new codes.

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)

 

References

https://www.bleepingcomputer.com/news/security/new-phishing-attack-steals-your-instagram-backup-codes-to-bypass-2fa/

https://9to5mac.com/2023/12/21/instagram-backup-code-phishing/

https://www.instagram.com/thecybersecurityhub/p/C1FkD1JPADp/

https://zipmex.com/th/support/account-management/what-is-two-factor-authentication-2/

 

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Ref

1

CVE-2023-42327

13/11/2023

12/12/2023

Netgate pfSense

Cross Site Scripting

 

5.4

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

Update to Version 2.7.1

https://nvd.nist.gov/vuln/detail/CVE-2023-42327

2

CVE-2023-41678

13/12/2023

15/12/2023

FortiOS และ FortiPAM

Double free

5.5

A double free in Fortinet FortiOS versions 7.0.0 through 7.0.5, FortiPAM version 1.0.0 through 1.0.3, 1.1.0 through 1.1.1 allows attacker to execute unauthorized code or commands via specifically crafted request.

FortiOS Update to Version 7.0.6
FortiPAM Update to Version 1.1.2

https://nvd.nist.gov/vuln/detail/CVE-2023-41678

3

CVE-2023-48630

13/12/2023

15/12/2023

Adobe Substance 3D Sampler

Out-of-bounds write

7.8

Adobe Substance 3D Sampler versions 4.2.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Update to Version 4.2.2

https://nvd.nist.gov/vuln/detail/CVE-2023-48630

4

CVE-2023-48791

13/12/2023

15/12/2023

FortiPortal

Command injection

8.8

An improper neutralization of special elements used in a command ('Command Injection') vulnerability [CWE-77] in FortiPortal version 7.2.0, version 7.0.6 and below may allow a remote authenticated attacker with at least R/W permission to execute unauthorized commands via specifically crafted arguments in the Schedule System Backup page field.

Update to Version 7.2.1 and 7.0.7

https://nvd.nist.gov/vuln/detail/CVE-2023-48791

 

5

CVE-2023-6707

14/12/2023

15/12/2023

Google Chrome

Use After Free

8.8

Use after free in CSS in Google Chrome prior to 120.0.6099.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Update to Version
120.0.6099.109

https://nvd.nist.gov/vuln/detail/CVE-2023-6707

 

28 December 2023

Viewed 332 time

Engine by shopup.com