Researchers from Access Now’s Digital Security Helpline – a service designed to help keep people secure online – have discovered a troubling new cyberattack targeted at social media accounts. The attack is being referred to as Doubleswitch. It leaves victims completely locked out of their social media account – often without the hope of being able to get the account back.
Once the hacker has gained control over the social media account, the cybercriminal renames the account and then uses the account to spread false news. The attack has so far mainly been used in order to rename Twitter accounts, but the Doubleswitch attack can also be used to successfully target users on Facebook and Instagram.
Access Now’s team first noticed the attack victimizing activists in Venezuela. However, it has also been reported in Myanmar, Bahrain, and other areas where political activism is underway.
Venezuela is currently in the middle of a national crisis. The socialist country is suffering from a severe economic downturn, which has led to massive food crises in the last year. Inflation is at an all-time high in the country, and purchasing even the most basic of commodities requires large sums of money. In addition, the government has passed legislation to restrict people’s activities online and to permit government surveillance.
These circumstances have led to a massive wave of lawlessness at the hands of criminal gangs, and there have been large demonstrations in the country. Some activists have risen to prominence, and it is the social media accounts of those people that have been targeted by hackers using the Doubleswitch attack.
According to Access Now, in January 2017 its team received a call from well-known Venezuelan journalist Milagros Socorro. Four weeks later, the Digital Security Helpline learned of a member of parliament, Miguel Pizarro, who had also been targeted due to his involvement in human rights activism.
On both occasions, the activists’ Twitter accounts were taken over by hackers who used the accounts to spread false news. At 12:01 am on 9 January, a Venezuelan man called Melanio Escobar Tweeted the following message in the Spanish language:
“For those that still don’t know, the Twitter and Facebook accounts of @MilagrosSocorro have been hacked since this morning. Attentiveness required.”
New and Dangerous Cyberattack
In its blog post on the subject, Access Now reveals that nowadays up to 20% of the requests that it handles involve the recovery of a social media account. However, according to the researchers these particular hacks were noticeably different:
“In each case, the hijackers gained access to the victim’s Twitter account (it is unclear how). Both accounts were “verified” and marked with a blue seal in the user’s profile, and both had a large following.
“The hijackers then updated the account information by changing the password and the associated email address, locking out the legitimate user. The hijackers then changed the username of the accounts from @MilagrosSocorro to @DESAMORTOOT in the first case; and from @Miguel_Pizarro to @PizarroPSUV and then @BuscoAsao in the second.”
Doubleswitch Attack Vector
In all likelihood, the attack vector would have begun with a phishing attack: an email containing a link that is made to look legitimate. This is commonly referred to as a social engineering attack and is used to deliver malware onto the victim’s device.
Although the exact attack vector is still unknown in these cases, usually (in similar circumstances) the malware utilizes a keylogger to steal the victim’s credentials and passwords and send them back to a Command and Control (C&C) server. Once the attacker has those credentials, the ‘Doubleswitch’ can be undertaken.
The cybercriminal renames the account that has been infiltrated and updates the passwords and email addresses attached to the account, thereby freeing up the original account name. With the original account name available, the hacker starts a new account using the original handle but attached to their own email address.
The hacker now has control over the original (renamed) account and the new account with the original’s name. The result is that even if the victim attempts to recover their social media account, they are unable to do so – because the recovery emails are sent to the hacker’s email address.
Infographic by Access Now (see Doubleswitch blog)
In the cases of Socorro and Pizarro – who had significant followings on Twitter – the social media accounts were then used to spread false information about ongoing events. In addition, important legitimate Tweets were deleted. Luckily, due to help from Access Now, both social media accounts were eventually returned to their rightful owners.
Could the Attack Spread?
The inability to reach their audience during such pressing times makes these particular attacks immensely severe. However, now that the Doubleswitch attack is known to cybercriminals, it is possible that it could spread.
Regular people might not have their accounts used to spread false news, but it is possible that cybercriminals may want to gain access to accounts in order to launch phishing campaigns at their friend lists. After all, a phishing link within a private message from a friend is much more effective than one sent in an email. In addition, regular people could find it harder than those activists to regain control of their accounts.
As such, it is important that people learn from these early accounts of the Doubleswitch attack and opt to use two-factor authentication on their social media accounts. This is what a spokesperson from Facebook told me about the newly discovered attack:
“We recognize the risk of malicious actors seeking to use social media to mislead people. For our part, we are taking a multifaceted approach to help mitigate these risks, such as building a combination of automated and manual systems to block accounts used for fraudulent purposes, and we continue to encourage people to use two-factor authentication.
“In the original report, Access states that two-factor (multi-factor) authentication is an important security feature, which Facebook offers to people that makes it much harder for an account to be compromised in the first place.”
Title image credit: wsf-s/Shutterstock.com
Image credit: Marc Bruxelle/Shutterstock.com, Renan Teuman/Shutterstock.com