How Oppressive Governments Hack Opposition Twitter Accounts to Spread Fake News

By now, you probably know that you can’t believe any news unless it is from a site that you trust. But what if you learned that your trusted site can be made to spread fake news? How could you ever be sure that the information it gave you was true? In fact, how can you trust any news at all? This is the angst of living in the modern information age. We have all become either skeptical of everything we read, or we simply believe those news items that support our pre-existing viewpoints. The truth has become either too illusive or simply unwanted.

This post will discuss one way that oppressive governments can muddy the waters by using legitimate opposition Twitter accounts to spread news that helps these governments and hurts their opponents. Although the discussion will focus primarily on Twitter accounts, it should be kept in mind that this technique could be used with other social media accounts as well. In the end, even if the reader realizes their favorite site has been compromised and its news is fake, the overall effect will be to lower the reputation of the infected site, even if the site is subsequently recovered. Once a site is exposed as being vulnerable to exploitation, trust in the site will diminish. It is a win-win situation for the oppressive government because, one way or another, they have undermined the credibility of a problem site and the news it posts.

To take over a legitimate Twitter account via what is termed a Doubleswitch attack, the attacker must first trick the account’s owner into giving up their login credentials. Most of the time, this is done through a phishing email. The email may say that, for some reason, the victim needs to sign into their Twitter account. The reason may seem logical. However, when they click on the supplied link to connect to the login page, it will not be the real Twitter login page, even though it may look identical too it.

Notice, however, that the address in the address bar is not twitter.com. The attackers hope you won’t notice. They can try to make the address appear legitimate in a number of ways. For example, the following address is fake, but you’d have to look at it carefully to see that there was a diacritical mark over the ‘w’. Admittedly, it takes some work to use characters out of the ASCII system and most browsers would decode them. However, the point is to take advantage of the user’s lack of caution.

For the purposes of this post, let’s assume the attackers have in some way gained access to the opposition Twitter account. After they log into it, they will change the Twitter username (handle) and the email address associated with it. At this point, the original user will be unable to log into their account.

Changing the username frees up the original username. The attacker, then, opens up a new account with the original, opposition username and copies pictures etc. to the new account to make it look, at least on the surface, identical to the old account. In other words, it looks exactly like the original opposition account, but it is associated with a different email address. If the original owner tries to get their account back, they can’t because their email address has been changed and they, therefore, cannot be sent the appropriate recovery information. Now, you may think that supplying a phone number to receive a text/SMS message would prevent such a takeover. However, most opposition leaders don’t want to make their smartphone numbers available for security reasons. Besides, as I wrote in another post, phone numbers are often used for hacking social media sites that use 2fa (two factor authentication).

The key point is that once the government has taken control of the opposition account, they can use it to send out fake news and few followers would detect the difference. The fake news would appear to be real news. All previous tweets can be deleted and fake news used to replace them. Eventually, even if the account is recovered, the waters are muddied and the credibility of opposition leaders is undermined. According to Access Now, the firm which discovered the attack, sometimes the account can never be recovered.

The Hacker News gave another variation of this attack. In their example, a random but verified account is taken over and then rebranded to make it look like a legitimate site. They showed how an attacker could make any site look like it was Tim Cook’s site.

They simply copied the information from the legitimate site to the fake site and renamed it from @Tim_Cook to @Tim__Cook (two underscores rather than one).  Notice also that the site maintains the blue check verified badge .

As of this writing, Access Now has found the Doubleswitch technique being used to undermine dissidents in Venezuela, Myanmar, and Bahrain. Similar uses of Twitter and other social media platforms are used by UAE, Azerbaijan, Qatar, Saudi Arabia, and Syria. Twitter is either blocked or censored in a number of countries, including China and Pakistan.

It has long been assumed that dissidents can and do use social media to organize against totalitarian regimes. Realizing this, social media has been banned permanently or temporarily in many oppressive countries. The Doubleswitch approach avoids making the government look bad by the outright banning of social media. It simply allows them to use pre-existing opposition accounts to further their control.

In these times when the truth has become elusive, readers need to be cautious when stories appear to contradict the prevailing opinions expressed by their favorite news outlets. Check the site’s name to see if it has not been manipulated. Look at this list of accounts pretending to be that of Donald Trump. Can you tell which one is legitimate?

• @ReaIDonaldTrump
• @RealDonaldTrump
• @ReaIDonaIdTrump
• @RealDonaIdTrump

The real account is the second one listed. The fake accounts take advantage of the similarities of the small ‘l’, the number ‘1’, and the capital ‘I’. In some fonts, like Twitter’s San Serif, these symbols look very similar. To avoid being tricked, type in the name you want yourself.

Check the email address associated with a site to see if it makes sense.  Also check the number of followers. A low number of followers may mean the account is fake. Notice the number of followers in the fake Tim Cook account shown above. In fact, Tim Cook has over 6 million followers. However, governments could likely afford to buy fake followers so this is not a perfect way to determine the validity of a site. Also keep in mind that a site may be legitimate but not have a blue badge.

Recently, I’ve found that more and more people are questioning the validity of many Twitter sites. The more controversial the site, the more its legitimacy is questioned. This often happens when negative tweets overpower supporting opinions. However, it just may be that these sites don’t have the supporters they think they have. In fact, questioning the legitimacy of a site on the site itself may be enough to lower its reputation. In short, absolute trust in the news no longer exists.