Hackers are spreading ISIS terror propaganda by hijacking dormant Twitter accounts
Hackers are using a decade-old flaw to target and hijack dormant Twitter accounts to spread terrorist propaganda, TechCrunch has learned.
Many of the affected Twitter accounts appeared to be hijacked in recent days or weeks — some longer — after years of inactivity. A sudden shift in tone or the language used in tweets often gives away the hijack — usually a single tweet in Arabic, sometimes praising Allah or retweeting propaganda from another account.
Twitter has suspended most of the accounts we reviewed, but some remain active.
The recent resurgence in hijacked accounts appears to be hackers exploiting Twitter’s legacy lack of email confirmation. Twitter took steps to prevent the automated creation of new accounts in June by requiring new accounts to be confirmed using an email address or phone number, but many older accounts remain unconfirmed.
But while dormant Twitter accounts are never deleted, the email addresses that were used to create them either never existed in the first place, or expired long ago. As such, many older Twitter accounts can be easily hijacked by creating the email address used to initially register the Twitter account.
“This issue has been around for a while but no one really knew and took advantage of it,” said a hacker and security researcher known as WauchulaGhost, who researches and disrupts the online activities of the so-called Islamic State.
“Now, we have Islamic State supporters that have figured it out,” he said.
He found one since-suspended account following many inactive accounts, which had all been recently hijacked. His hypothesis was that, “once you create the email, password reset on the Twitter account, check the email and click the link,” he said. Many of those dormant accounts he tested hadn’t created the email that the account was registered to. The email addresses are partially masked, but it’s easy to tell how many characters are in a Twitter account’s email address. Often the email accounts were simply their Twitter handle at “@hotmail.com” or “@yahoo.com,” he said.
Some of the accounts had tens of thousands of followers, he said.
He shared several of those dormant Twitter accounts with TechCrunch, nearly all of which had registered email addresses that were identical to their Twitter handle. He was able to register all of those email addresses, which would have allowed him to access those accounts.
Many of the hijacked accounts he found in the past few days — and shared with TechCrunch — were spreading propaganda, but were later suspended from the service. The hackers often didn’t bother to change the bios on the account.
The hijacked accounts we reviewed included Arabic-speaking videos of Islamic State fighters wielding weapons and other curated content. Others simply contained text — also in Arabic — that praised violence and other attacks, or retweeted other accounts.
Source: Tech Crunch