Since 2017, the online marketplace OGUsers has fueled a community focused on buying and selling access to short or flashy social media and gaming handles, like @xx or @drug. Last year, hackers affiliated with OGUsers allegedly launched a massive attack on Twitter, temporarily taking over dozens of accounts with short or prominent handles, like @Apple, @JeffBezos, and @Uber. Today, as part of ongoing efforts to address OGUsers account takeovers, Instagram, Twitter, TikTok, and other platforms are reclaiming swaths of those stolen accounts and sending cease and desist letters to known OG-handle hackers.
Instagram is taking action against hundreds of accounts as part of Thursday's action. While it's done this kind of enforcement for years, it's speaking publicly about it for the first time to raise awareness about the extent of the threat. Skilled OGUsers hackers not only target individual account owners to get credentials, but have launched sophisticated phishing attacks and even extortion attempts against customer service and IT technicians at big companies—as in the Twitter hack—to get bulk access to more accounts. OGUsers are notorious for using this type of access to pull off SIM-swapping attacks, in which hackers take control of victims' phone numbers and the online accounts attached to them.
WIRED spoke with two senior officials at Instagram parent company Facebook, but agreed not to use their names; OGUsers forum members have “swatted” tech company employees, including some at Facebook and Instagram, in an effort to intimidate them. Swatting attacks are false calls to 911 about made up emergencies at a target's address with the goal of having police storm the residence.
“We want to make it clear both to the OG members we’re enforcing against here and anyone else who’s contemplating similar techniques that we’re not going to permit them to commercialize this type of deception, harassment, and abuse," one Facebook official told WIRED. "And we want to raise awareness among people who might try to buy these accounts that the way the individuals get access to the accounts involves hacking, blackmail, and swatting that can cause real harm to innocent people.”
Twitter says it permanently suspended a number of accounts related to OGUsers activity in recent days, including some with high follower counts and short or otherwise unique handles. The company conducted its investigation in tandem with Facebook.
“As part of our ongoing work to find and stop inauthentic behavior, we recently reclaimed a number of TikTok usernames that were being used for account squatting,” a TikTok spokesperson told WIRED in a statement. The company also said it has been cooperating with other industry organizations to combat the problem.
“The challenge that I pose to these high-value companies, social media sites, or cryptocurrency platforms is if you take a look at your password reset flow and you can reset the password by owning the phone number, you’ve got yourself a problem,” says Rachel Tobac, CEO of SocialProof Security, which focuses on social engineering. “You can take punitive action against cybercriminals, but you also need to minimize the value of the attack methodology of SIM swaps.”
Multifactor authentication using code-generating apps or physical authentication tokens can prevent hackers from stealing two-factor codes sent via SMS. Instagram introduced third-party app authentication in 2018, and encourages all of its users to add that extra layer of protection. Facebook is also in the process of expanding its “Facebook Protect” security program for prominent accounts, which offers support on multifactor authentication and additional monitoring.
While OGUsers hackers often rely on SIM-swapping, researchers emphasize that it isn't the only type of attack companies need to guard their users against. Many of the actors are talented social engineers and phishers. Some go beyond stealing credentials, and use those techniques to install malware inside customer service departments or even on individuals' devices. This means the response needs to be even more comprehensive.
“A lot of people in this hacking community have been acting with impunity, especially when social media takedowns were sporadic and they were not really getting signals that what they're doing is illegal and against terms of service,” says Allison Nixon, chief research officer of security firm Unit 221B. “These actors are really secretive about their methods. You might see a handful of celebrities or bitcoin whales getting hacked and there's no information about how they got hacked, and they have no idea either, and the company isn’t saying.”
Those tasked with combating those account takeovers cite the toxic online subculture that not only abets but encourages it. This coordinated action shows that the platforms most affected by it, at least, are taking it seriously.
“One of the things that research has shown again and again, particularly for young people, is that it can be very easy to distance themselves from or not appreciate the harm they may be causing online,” one Facebook official says. “So we will continue to make these techniques less effective, but I also think there’s an important question about how we have a more comprehensive societal response involving education, counseling, and support to help move some of these young people off this path.”
SocialProof Security's Tobac also emphasizes the need to address the underlying, systemic issues that entice people to join the OGUsers attacker community in the first place.
“A lot of these cybercriminals don’t realize, you can make this money legitimately in the security industry,” she says. “You can make bank! And you don't have to be paranoid about the feds banging down your door.”
For now, though, as more and more tech platforms take a stand against this type of activity, law enforcement actions may be looming, too.
- 📩 The latest on tech, science, and more: Get our newsletters!
- The Lion, the polygamist, and the biofuel scam
- Why Instacart is laying off workers as deliveries soar
- Is this a fossilized lair of the dreaded bobbit worm?
- How to back up your most important emails
- Flash is dead—but not gone
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones
