The Cybersecurity and Infrastructure Security Agency and Director Jen Easterly have been impersonated on Mastodon this week, including on infosec.exchange, an instance of the fast-growing decentralized social network for the infosec and cybersecurity community.
“There were several CISA impersonator accounts across the fediverse on various instances, including one on infosec.exchange, purporting to be [Easterly],” Jerry Bell, the server owner and administrator of infosec.exchange, said via email.
The account impersonating Easterly, the only one Bell said he’s aware of involving government officials, was suspended and he “reported the other CISA impersonators to their respective instance owners asking them to take them down.”
Mastodon instances, which run on independently managed servers with varying rules of engagement, have attracted interest from disillusioned Twitter users searching for a potential new social media home. The infosec.exchange instance of Mastodon grew from 180 to 31,000 users in the last three weeks, said Bell, whose day job is VP and CISO at IBM Public Cloud.
The impersonation of federal officials and agencies underscores a common and consistent problem on social media. Identity verification systems are designed to minimize imposter risk and give users more confidence that high-profile organizations or users they follow are authentic.
Recent changes to Twitter’s verification system, including a short-lived revamp of Twitter Blue that allowed users to gain verification and impersonate high-profile companies or individuals for $8 per month, caused widespread concern among employees, users and industry observers. Twitter, following that backlash, is currently operating without a verification system in place.
CISA was made aware of the impersonating accounts on Mastodon and asked that they be deleted, Easterly said in a tweet. The agency also created accounts to avoid further impersonation, but Easterly said no decision has been made about plans to actively post there.
CISA did not respond to a request for further comment.
“The same challenges will exist for other officials and agencies too,” Brett Callow, threat analyst at Emsisoft, said via email.
While Facebook and Twitter’s verification systems weren’t perfect, they did make it harder for people to impersonate the owners of verified accounts, Callow said. “However, Twitter now has no real form of identity verification and nor does Mastodon, the platform to which many Twitter users are migrating.”
Bell acknowledged Mastodon’s optional means for account owners to establish identities is not as rigorous as Twitter’s previous verification process. Users have to demonstrate control over a website they’re associated with to meet Mastodon’s identity verification requirements.
Mastodon administrators rely on the community to call out imposters and “they are quite good at it,” Bell said. “When we’re made aware, we work to quickly triage and take action.”
The accounts purportedly associated with CISA were reposting from other CISA social media accounts. “It highlights that someone could work to establish a sense of authority by benignly reposting things and then start replacing valid links or information with malicious ones,” Bell said.
The risk of impersonation on social media can only be solved with a standard form of verification that people can optionally use across all platforms, Callow said.
People aren’t fleeing Twitter for Mastodon and other platforms because they perceive there is less opportunity for impersonation, Bell said. “It is a lack of confidence in Twitter’s ability to govern itself and protect its users from abusive content, among other concerns.”
There are multiple instances of Mastodon that host hate speech, racism, extremist views and violence, but infosec.exchange, under Bell’s stewardship, disallows that behavior. It’s also right there in Bell’s profile: “Be nice to each other. We are only here for a brief time. Make it enjoyable.”
