New Technique to Hijack Social Media Accounts

Access Now has documented it being used against a Twitter user, but it also works against other social media accounts:

With the Doubleswitch attack, a hijacker takes control of a victim's account through one of several attack vectors. People who have not enabled an app-based form of multifactor authentication for their accounts are especially vulnerable. For instance, an attacker could trick you into revealing your password through phishing. If you don't have multifactor authentication, you lack a secondary line of defense. Once in control, the hijacker can then send messages and also subtly change your account information, including your username. The original username for your account is now available, allowing the hijacker to register for an account using that original username, while providing different login credentials.

Three news stories.

Posted on June 19, 2017 at 6:44 AM • 23 Comments

Comments

KaiJune 19, 2017 7:17 AM

I'm confused as to why they then make their new account the "definitive" account - by changing the names on both of them, unless this is more a denial-of-service type attack rather than to steal that person's followers.
If you make a new account, it straight away has zero followers, whereas the old account that's been renamed should still have all of the followers. Plus, the old account has the blue tick, whereas the new one isn't verified.

If the purpose is to simply prevent the original person from having their handle of choice, then it apparently works, however if you're the verified owner of a blue-tick account, I would have assumed that you'd have some way to get in touch with Twitter etc to flag an issue such as a hostile account take-over. Maybe such people have no more recourse than us mere mortals do...

I had a moderately popular Facebook group (5k people) stolen from me and closed down and there was absolutely no way to get in touch with anyone at Facebook to do anything about it...

GeorgeJune 19, 2017 8:38 AM

They still have the original account, with the followers, so it would make sense if they used that account to retweet messages from the newer account.

RussJune 19, 2017 10:16 AM

I like how in the description step 1 is to hack the account. Who cares about the following steps? Of course you can do damage once you've obtained full access. There's no explanation for how they're doing step 1 other than a normal phishing attack.

albertJune 19, 2017 10:19 AM

"...Activists around the world rely on social media platforms like Facebook and Twitter to communicate and advocate for their rights in repressive regimes, making their accounts prime targets for attack...."

Really? And what's a faster way to deactivate 'activists' than to use social media accounts?

How does an attacker gain access? The article says:

"...the hijackers gained access to the victim’s Twitter account (it is unclear how)...."

"...For instance, an attacker could trick you into revealing your password through phishing. ..."

That's it?

Nothing to see here, move along folks...

. .. . .. --- ....

Wh4t3v5June 19, 2017 10:45 AM

The first article really nails the main issue--people are not activating TFA if it requires giving a phone number or other possibly personally identifying information. I know several people who are personally affected by this: Using a throwaway number won't allow for account recovery or true TFA security, and using something like a Google Voice number still links back to an account that may be personally identifying.

If social media companies were really concerned with TFA, they'd use the email addresses attached to accounts to send login codes. Annoying, sure. But better than without the second factor. Instead, they ask for a phone number, which they can then sell in addition with whatever data they're scraping from the social media account.

ArclightJune 19, 2017 10:57 AM

The changing of the original username makes it harder for the rightful owner to reclaim the account. A typical customer service rep who is "following the script" is going to see treat the "new user" as a different customer with unique details not known to the original account holder. They may not have access to the audit log showing the change that occurred.

At the end of the day, this lets them grab a dormant username or hold a new one for longer I guess.

PhJune 19, 2017 11:41 AM

"Doubleswitch attack"?
Old news in new clothes.
I used to work in a computer room, which became a server room and now i'm working in the clouds....

ParabarbarianJune 19, 2017 2:35 PM

I see how the attack works but I do not see anything unusual about it. Leveraging the cracked account to steal the original owner's online identity is not exactly unusual. I guess I don't see how this is materially different than the last several years of attacks on so-called "social media".

I am not sure that 2FA will make much difference. It *may* make it slightly harder to crack the associated account but it is probably easier to hack a modern "smart" phone than a twitter or facebook account. Heck, even an old flip phone can be used to track you. The words "anonymous" and "cell phone" are a security oxymoron.

OTOH, I may be too old fashioned for the modern world. I can remember when activists used tools like PGP, anonymous remailers and chatted over secure shell or similar encrypted tunnels.

AnonJune 19, 2017 3:14 PM

So it comes down to a phishing attack? 2FA isn't going to help if you're giving away your login details over e-mail!

TõnisJune 19, 2017 3:24 PM

Two-factor isn't all that it's cracked up to be. Picture this vulnerability.

1. Police arrest you.
2. Police take your locked smartphone which conveniently displays on the lock screen the first few lines of new messages that come in.
3. Police want to access your webmail account and decide to try "Reset my password."
4. Webmail provider texts the two-factor access code to your smartphone, it's conveniently displayed on the lock screen, and they're into your webmail.

Two factor is a joke. Use strong passwords like--

{fW3W!pkX`ut1+GN

--and no one's getting into your webmail.

GnomeJune 19, 2017 4:54 PM

@Tõnis

It's better to use both a secure password and have two factor authentication then one or the other. Defense in depth my friend.

Also you're example is an exceptional case which, at least implies the person involved has been detained.

I'd say in general use two factor is a safer alternative and would really rely on the user to be exposed via ignorance rather then an actual vulnerability in the system itself.

As for secure passwords we have password managers to generate and manage those.

G

Chris ZweberJune 19, 2017 5:21 PM

@Tõnis

Someone engaged in criminal activity would likely turn off notification previews on the lock screen.

I am paranoid enough to do it just to avoid irking girls I am hanging out with. I think a criminal worried about opsec to the point they are making garbled webmail passwords would also have a locked down phone.

HulioJune 19, 2017 5:56 PM

@Tõnis

With encryption on android, you must input your password in order to unlock the screen; text previews do not otherwise display.

GodelJune 19, 2017 6:29 PM

The fact that Twitter allows you to change your user name, AND without verification, and that the old name is immediately available for reuse are two obvious things that need changing.

And of course use 2FA if available. And use an iPhone instead of an Android device if you think they're out to get you?

DroneJune 20, 2017 1:14 AM

"If you don't have multifactor authentication, you lack a secondary line of defense."

And if you do have multifactor authentication, like receiving SMS OTP's on your phone, expect tons of new SMS spam! A bank I used to use mandated SMS TFA, I got so much SMS spam from the bank (and whoever they sold my number to), I had to turn the phone off between calls. But hey, look at the bright side, I got great battery life :-)

The Bank? Bank Central Asia (BCA) in Indonesia

The spam from the bank was just bad/greedy bank policy. But I suspect the selling of customer phone numbers was being done by unscrupulous bank employees.

PhJune 20, 2017 2:31 AM

2FA simply introduces a new (chained) link in the chain.
Depending on hardware and personal preference/habits this new link can be the weakest and possibly abused in situations where a strong password cannot.
Then again a strong password is subject to other weaknesses without a chained link as 2FA.

To be as secure as possible, don't just go for 2FA without question, but use a bit of risk management to see if it is more feasible for you to lose your phone, or to lose your strong password due to keylogger/breach in auth db/reuse.


MatteoJune 20, 2017 5:15 AM

@Ph
I also think that 2FA by SMS *IS* the weakest link.
SMS has no encryption authentication integrity... and they are abused to access people accounts (in russia and china for example)

https://advox.globalvoices.org/2016/05/02/is-telegram-really-safe-for-activists-under-threat-these-two-russians-arent-so-sure/

it's like emailing your password over an insecure channell: madness!!
and yet people think that sms is the most secure because is paid and not free and other wrong motivations:
Obstacles to the Adoption of Secure Communication Tools:
http://www.ieee-security.org/TC/SP2017/papers/84.pdf

Dan HJune 21, 2017 7:36 AM

My social media accounts are absolutely 100% secure and cannot be hacked. I don't have any and refuse to have them.

Silent BobJune 21, 2017 1:49 PM


Someone please tell me how good an idea it is to use phone number as the second factor.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Security.