Since 2017 has online marketplace OGUsers has run a community focused on buying and selling access to short or flashy social media and gaming handles, such as @xx or @drug. Last year, hackers affiliated with OGUsers allegedly launched a massive attack on Twitter, temporarily taking over dozens of accounts with short or prominent handles, such as @Apple, @JeffBezos and @Uber. Today, as part of the ongoing work to address OGUs’ account takeovers, Instagram, Twitter, TikTok and other platforms recover traces of the stolen accounts and send termination and waiver letters to known hackers from the OG handle.
Instagram is taking action against hundreds of accounts as part of Thursday̵
WIRED spoke to two senior officials at Instagram’s parent company Facebook, but agreed not to use their names; OGUs’ forum members have “swatted” technology company employees, including some on Facebook and Instagram, in an attempt to intimidate them. Swatting attacks are fake calls to 911 about complex emergencies at a target address with the aim of getting the police to storm the home.
“We want to make it clear both to the OG members we enforce against here and to anyone else who is considering similar techniques that we will not allow them to commercialize this type of fraud, harassment and abuse,” a Facebook official said. in WIRED. “And we want to raise awareness among people who may be trying to buy these accounts that the way individuals access the accounts involves hacking, extortion and swatting that can cause real harm to innocent people.”
Twitter says it has permanently suspended a number of accounts related to OGUs’ activity in recent days, including some with a high number of followers and short or otherwise unique handles. The company conducted its investigation together with Facebook.
“As part of our ongoing effort to detect and stop unauthentic behavior, we have recently recovered a number of TikTok usernames that were used to hack into the account,” a TikTok spokesman told WIRED in a statement. The company also said it has partnered with other industry organizations to combat the problem.
“The challenge I face with these high-value companies, social media or cryptocurrency platforms, is if you take a look at your reset flow and you can reset your password by owning the phone number, you have a problem,” said Rachel Tobac, CEO of SocialProof Security. , which focuses on social engineering. “You can take criminal action against cybercriminals, but you also need to minimize the value of the SIM switch attack method.”
Multifactor authentication using code-generating apps or physical authentication tokens can prevent hackers from stealing two-factor codes sent via SMS. Instagram introduced third-party app approval in 2018, and encourages all users to add the extra layer of protection. Facebook is also in the process of expanding its “Facebook Protect” security program for prominent accounts, which offers support for multifactor authentication and additional monitoring.
While OGU hackers often rely on SIM switching, researchers emphasize that it is not the only type of attack companies need to protect users against. Many of the actors are skilled social engineers and phishers. Some go beyond stealing credentials and using these techniques to install malicious software in customer service departments or even on individuals’ devices. This means that the response must be even more comprehensive.