How DoubleSwitch Attack Works (Illustrated Example)

Original @thehackersnews Twitter Account

Original Tim Cook Twitter Profile

Hijacked @thehackersnews Account ( Impersonates Tim Cook)

Locking the Legitimate Account Owner Out of its Account

Social media networks are no doubt a quick and powerful way to share information and ideas, but not everything shared on Facebook or Twitter is true.Misinformation, or "Fake News," has emerged as a primary issue for social media platforms, seeking to influence millions of people with wrong propaganda and falsehoods.In past years, we have seen how political parties and other groups have used spoofed social media profiles of influencers or leaders to spread misinformation, and most of the time such techniques work to successfully convince people into believing that the information is true.Although social media services like Facebook, Twitter, and Google, offers account verification (verified accounts with blue tick) for public figures, we have seen hackers hijacking verified accounts to spread fake news from legitimate account to their millions of followers.Now, researchers have uncovered a new, cunning attack technique currently being used by hackers to take over verified Twitter accounts and rename them to influential people in order to spread fake news.Dubbed, the attack begins with a simple account takeover, but then the hackers change the username and display name with the one having a large influence on social media.According to a new report from digital rights group Access Now, hackers are targeting Twitter accounts of journalists, activists, and human rights defenders in Venezuela, Bahrain, and Myanmar, some of them were verified with a large number of followers.This attack was discovered when two journalists — Milagros Socorro and Miguel Pizarro, a member of Venezuela's parliament — were hacked and then renamed.The hacker then registered a new account, resembling with their original profiles, under the original usernames (Twitter handles), but using the attacker's controlled email addresses.This means, every time victims try to recover their accounts using regular password reset option, the confirmation emails will be sent to the hijacker, who pretends that the issue has been resolved, making it almost impossible for the victims to recover their account.Hackers then use hijacked verified accounts, but renamed to another influence, to feed fake news to the millions of followers of the original accounts.While it's unclear how the hackers managed to hijack the verified users at the first place, it is believed that the attack begins with malware or phishing attacks.To illustrate how effective DoubleSwitch technique is, we have prepared an example below:Let's say, a hacker somehow managed to hijack The Hacker News' Twitter account ), which is verified with 368,000 followers, where most of the are influencers in Infosec community.And then the "DoubleSwitch" begins.Once hacked, the hacker first changes the password and associated email id, along with the username, let's say @tim__cook, spoofing the Apple's CEO who is on Twitter with @tim_cook (single underscore).Now, the hacker holds a verified account with the name of Apple CEO Tim Cook and can feed misinformation to nearly 370,000 influential followers from the tech industry, and many of them will believe without realising the account is hijacked and the tweets from it are fake.The hacker creates a new Twitter account with the original username @thehackersnews, which will be available, as once a Twitter account is deactivated, the handle for that account is freed for others to use.But mind it, this new Twitter account registered with our Twitter handle (@thehackersnews) will not be verified with zero followers.In order to get our account back, if we use password reset option, Twitter will send the confirmation email only to the attacker' email id that he used to register the new account.So any attempt by the victim to regain access to its account fails, as the attacker can simply notify Twitter that the issue has been resolved, locking out the legitimate account holder.Fortunately, Twitter also offers an alternative way, an online form , to report account hacking incidents directly to the Twitter team, which then they review and investigate the issue accordingly to help victims recover their accounts.Using this method, Access Now helped the journalists regain access to their accounts, but by the time they regained access, some of the original account holder's tweets were deleted, and the accounts were used to spread the fake news about events in Venezuela, confusing followers and damaging their reputations in the process.Access Now says the attack can be conducted over Facebook and Instagram as well, but users can protect themselves by enabling two-factor authentication feature offered by the services. Two-factor authentication uses two different methods in an attempt to verify a user's identity — a password and a one-time passcode (OTP) sent to the user's mobile phone — which makes it much harder for hackers to compromise an account in the first place.However, two-factor verification is not an actual solution for the journalists, activists and human rights defenders in countries like Venezuela, as they do not associate their personally-identifiable information like phone numbers with their online accounts in fear of getting spied on.