A new Instagram phishing campaign targets backup codes in addition to credentials, expanding the data thieves aim beyond just login data. Trustwave SpiderLabs details a chain that uses fake Meta sites hosted on Bio Sites to harvest usernames, passwords, 2FA status, backup codes, and contact information, with guidance to users on protection. #InstagramPhishing #BioSites
Keypoints
- A new Instagram phishing variant extends data theft to include backup codes along with credentials.
- The attack uses urgency (a 12‑hour deadline) and a labeled button to drive victims to a fake Meta site.
- Deceptive elements show masquerading—the sender domain does not belong to Meta/Instagram and a Google notification link is used.
- Fake Meta sites are hosted on Bio Sites (a Squarespace-like platform) to funnel users to phishing pages.
- The form sequence collects username, password (twice), 2FA status, backup codes, email, and phone number, with data sent to attackers.
- Observations include multiple fake Meta sites on Bio Sites and ongoing lure improvements; protection via Trustwave MailMarshal is noted and user guidance is provided.
MITRE Techniques
- [T1566.002] Phishing – The attacker attempts to create a sense of urgency with the message that an appeal must be filed within 12 hours by clicking the “appeal form” button in the email, or else the account will be permanently deleted. “The attacker attempts to create a sense of urgency with the message that an appeal must be filed within 12 hours by clicking the “appeal form” button in the email, or else the account will be permanently deleted.”
- [T1036] Masquerading – The sender’s domain “contact-helpchannelcopyrights[.]com” does not belong to Meta or Instagram. “the sender’s domain “contact-helpchannelcopyrights[.]com” does not belong to Meta or Instagram”
- [T1041] Exfiltration – Data submitted through phishing prompts is sent to attackers as part of the form sequence. “every time the user clicks continue, data is sent to the spammers.”
Indicators of Compromise
- [URL] Phishing workflow URLs – hxxps://notifications[.]google[.]com/g/p/ANiao5o1EFnOXe7ZtpiB3GPiSGjA_P9MAahAzZiwf_NPOiblgypFgRvmJNiJE8BYV114DZStcHbGehPWMX3Fv1A-WUMYXzsqasXHSUAXkoE45JCj4i5SxOvwyurHuVlXOgByVR0xRlnsX8-pmOpvVGl2uCjdV3kWjyc2xs2p_585dVP4wfN417eDVprO-jwgU7jtURV-dN6x7ekuU33DHJc7-tN1Pdfhcg
- [URL] Redirect domain for initial lure – hxxps://bio[.]site/ignotificationcenters[.]com
- [Domain] Hosting/infrastructure domains – bio.site, contact-helpchannelcopyrights.com, help-copyrightservice.com, metaglobalsecuritys.com, copyrightforappealform[.]com