Security research group Access Now has discovered a clever attack being used against influential social media users as a means of disseminating fake news. The “Doubleswitch” not only involves hijacking verified accounts but makes it extremely difficult for the legitimate owner to regain control of their handle.
According to the report, activists and journalists in Venezuela, Bahrain, Myanmar, and elsewhere have been targeted with this method. The goal to spread misinformation and silence the target, but the attackers are also deleting older posts that they don’t like.
The idea of the Doubleswitch is pretty simple. The hacker takes control of a verified account through the usual methods like email phishing. Then, the hacker changes the email and password on the account. Let’s say the victim is New York Times reporter Maggie Haberman (@maggieNYT), who has 491,000 followers. The first switch comes when the hacker changes her account name to Bernie Sanders and changes her handle to @BernieSander, a single letter being different than the real Bernie. Now, the hacker has an account with a lot of followers who might trust Bernie and the account appears to be legitimate. Meanwhile, Haberman has been locked out of her account and automated recovery is contacting the hacker’s email who informs Twitter that everything is fine.
The second switch comes when the hacker starts a new account with the handle @maggieNYT and name Maggie Haberman. Now, they have Haberman’s legitimate-looking but unverified account. The hacker proceeds to disseminate fake news through both accounts and users click retweet as they go about their day.
Twitter does have a form for reporting issues that will be reviewed by humans but it’s a slower process. And this problem isn’t just relegated to Twitter but all social media that offers verification. The best defense against it is two-factor authentication. But in some countries, like Venezuela which is where Access Now found the first instance of the technique, activists and journalists avoid associating personal information with the account. What Access Now suggests is that these services should be more proactive in offering other forms of multi-factor authentication, like an app-based solution.