Application security, Threat Management, Malware, Phishing

Instagram phishing scam uses fake 2FA code to appear trustworthy

Researchers recently spotted a sneaky phishing scam that uses a phony two-factor authentication request to trick email recipients into entering their Instagram login credentials.

"Someone tried to log in to your Instagram account. If this wasn't you, please use the following code to confirm your identity," according to the fraudulent email, which provides a six-digit code that supposedly must be entered after the prospective victim clicks on a link that leads to what appears to be a login page.

"The use of what looks like a 2FA code is a neat touch: the implication is that you aren’t going to need to use a password, but instead simply to confirm that the email reached you," explains Sophos senior technologist Paul Ducklin, in an Aug. 23 company blog post. "And two-factor authentication codes kind of ooze cybersecurity – because, well, because 2FA," he continues.

But if the email recipient clicks the link, he is actually taken to a malicious .CF (Central African Republic) domain that does a convincingly impersonation of a real Instagram log-in screen, replete with a valid HTTPS certificate.

"A phishing campaign that uses fake 2FA response gives the illusion of a secure communication, but in reality, it is the exact opposite. It's almost like social engineering, in which someone wants to do the right thing, but doesn’t think it all the way through," said Dan Conrad, field strategist at One Identity, in emailed comments. "Emails coming from an Instagram impostor is just a small indicator of the types of attacks and damage could be possible in the future."

However, there were still some signs that gave away the Instagram scam. For starters, emails that offer recipients links for logging in to an online service should be treated as a red flag. Recipients can always just go to the service's website or app to log in, and should use the service's official procedure for checking past login activity. Furthermore, the .CF domain is unusual – even spells "login" incorrectly – and the phishing email body contains one notable punctuation other (although it is otherwise clean).

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.