Hackers are hijacking verified social media accounts to spread disinformation in the global “Doubleswitch” campaign.
“Activists around the world rely on social media platforms like Facebook and Twitter to communicate and advocate for their rights in repressive regimes,” Access Now noted in an analysis of the attacks. “Attackers who gain control of an account can silence and embarrass critics, and can also create uncertainty and spread misinformation. These hijacking attacks harm users at risk, including journalists, activists and human rights defenders.”
According to Access Now’s Digital Security Helpline, the victims in this campaign don’t just lose control of their social media accounts. They also have a harder time recovering these accounts, and in some cases, they never get them back.
“These attacks are evolving, and proving much harder to resolve,” the firm said. “In Venezuela, Bahrain, Myanmar and elsewhere, activists who try to recover their social media accounts using standard recovery processes can remain locked out.”
Access Now first became aware of the attacks while working with activists in Venezuela who have protested a presidential decree authorizing surveillance and censorship online. Journalist Milagros Socorro reported that her Twitter account had been hijacked, as did Miguel Pizarro, a human rights defender and a member of Venezuela’s parliament. Both accounts were “verified” and marked with a blue seal in the user’s profile.
The group found that once the hijackers gained access to the victim’s Twitter account (it is unclear how), they changed the password and the associated email address, and then changed the username of the accounts. From there, they exploited a feature that allows Twitter to recycle unused usernames.
As Access Now explained:
“After changing the credentials of the accounts, the hijackers registered Twitter accounts using the original usernames, which were now freely available, and connected the accounts to a new email address. They were then able to impersonate Socorro and Pizarro. When these victims attempted to recover their accounts, Twitter’s confirmation emails went to the hijackers, who pretended that the issue had been resolved. The hijackers then proceeded to delete one of the original accounts, making it even harder for the victim to recover it.”
The hackers went on to spread false information and delete legitimate tweets.
“This new form of hijacking attack is not unique to Twitter, nor is it happening only in Venezuela,” Access Now noted. “Our helpline confirms that it can also work on Facebook and Instagram. The key to a hijacker’s success, however, is the same: The attack renders the standard recovery mechanisms useless, allowing the attacker to maintain control of the victim’s account for a longer period of time.”
Users at risk should enable multi-factor authentication to prevent adversaries from taking control of an account in the first place, and beware of phishing attempts.