Activists from Venezuela to Bahrain are falling victim to a devious new account hack, according to a report from the digital rights group Access Now. Dubbed a “Doubleback” attack, the hack begins with a simple account takeover, but is followed by a number of name changes designed to cover the attacker’s tracks and bewilder followers.
Once a given twitter account (say @russellbrandom) has been taken over, Doubleback attackers will move the existing account to a new screenname (say, @fake_russell) and then establish a new account at the original screenname, often using the same profile picture and display name. When the target attempts to recover their account, they’ll go to the original screenname, which is now registered to the hacker’s email. At the same time, they have no easy way to find the original account, now bearing the original recovery emails and followers under a different name.
So far, the attack has hit hardest on Twitter. The Access report describes Milagros Socorro and Miguel Pizarro, a journalist and an activist respectively, both dealing with turbulent protests in Venezuela. In each case, hijackers took control of the target Twitter account, switched the username, and began spreading misinformation from a new account registered under the original screenname. Followers of the original account wouldn’t carry over to the impostor account, but the impersonation still creates significant confusion for anyone seeing the new account’s tweets. In one case, the hijackers even deleted the original account, making account recovery far more difficult.
The incidents are drawn from Access Now’s Digital Security Helpline, a 24-hour rapid response service for civil society groups that come under digital attack. Most of those callers are focused on Twitter — but Access Now’s Daniel Bedoya, who works on the helpline in Costa Rica, says the technique could work on other platforms too. “We haven’t seen attacks on Facebook or Instagram specifically with this tactic,” Bedoya says, “but I don’t think it’s worse on any one platform or another. It’s just a matter of the platforms that we see.”
Platforms like Twitter and Facebook have taken a number of steps to prevent account takeovers, but there are few systems preventing the re-registration of a name once the original account has been hacked. Bedoya says that freezing a username for a period of time after it’s been vacated could make a significant difference for targets of the attack. “At least in the short term, you can control the consequences,” Bedoya says.
Twitter did not respond to a request for comment, while Facebook said it recognized the risk of bad actors using social media to spread misinformation. “We are taking a multifaceted approach to help mitigate these risks, such as building a combination of automated and manual systems to block accounts used for fraudulent purposes,” a Facebook spokesperson told The Verge, “and we continue to encourage people to use two-factor authentication.”
In some cases, the need for confidentiality actually pushes targets away from two-factor authentication. Twitter requires a phone number to enable two-factor (even if the token isn’t ultimately delivered over SMS), which raises real concerns for activists publishing under pseudonyms, who may be the target of government reprisals. “They don’t want to give a phone number that identifies them,” Bedoya says. “That’s preventing a lot of at-risk users from using two-factor.”