Social media impersonation attacks

The security community and the progressive organizing world has seen a significant increase in social media impersonation attacks over the last few weeks.

The goal of these attacks appears to be to extract the phone numbers of people who have posting or admin access to organizational social media accounts. With these phone numbers, attackers can attempt a SIM swap / SIM-jacking attack, and then use stolen phone numbers to break into social media accounts protected by the SMS 2FA method.

Here’s a recent example, starring an impersonation of my Instagram account. My Instagram account is “annlewis”, and the impersonator account is cleverly named “annleewis”. (And yes, that profile pic is of me dressed as santa and playing a keytar- be jealous)

The impersonator account grabbed a handful of my most recently posted pictures and reposted them from the impersonator account, then went through my followers list following people on this list. A handful of people who had forgotten they had already followed me then followed this impersonator account.

The impersonator account then tried to request personal info like cell phone numbers from the people the account followed. Several attempts were successful:

Several coworkers noticed and reported this, and Instagram has since taken down the impersonator account. Many folks have reported seeing or being engaged by impersonator accounts on a variety of platforms including Instagram, Twitter, Facebook, LinkedIn, and even dating sites like match.com

If you notice an impersonator account, report it to the social media platform it was created on. Encourage others who are connected to the legitimate account being impersonated to report it too.

Verify the identity of accounts before connecting, by checking whether you have already connected to a similarly named account, and reaching out to the supposed account holder via a different communication method if possible. Do not assume that an account is legit just because you have several mutual connections with the account.

If you have been a victim of such an attack and have given out your phone number, use an abundance of caution, and update your social media 2FA backup methods.

You can also audit recent activity on your social media accounts to try to understand whether your account has been compromised. While some attackers may make themselves known by posting malicious content from your account, many others may use this access quietly and observe your behavior and non-public interactions. Attackers who have quietly gained access to your account can still leave digital traces though.

One example is Twitter’s “Places you’ve been.” Go to https://twitter.com/settings/your_twitter_data/account_history and select “Places You’ve Been.” Do you see suspicious locations that you’ve never visited before? Like “Russia”?

If so, you should assume your account has been compromised. To mitigate this, take a screenshot of authorized apps and sessions, then rotate your password, and revoke access to all Apps and Sessions listed in https://twitter.com/settings/applications. You can re-add access as needed. It’s helpful to keep a record of authorized apps and sessions, because it’s possible your account was accessed directly from these other locations, or accessed via a 3rd party app.

CTO, MoveOn.org https://annlewis.tech/