Brand Monitoring Alert Details
Alert ID: BRAND-OPENWEB-7842
Alert Time: 2024-02-09 11:30:45 EST
Severity: MEDIUM (68/100)
Source: ZeroFox Brand Protection Platform
Rule: “Impersonating Social Media Account Detected”
MITRE ATT&CK: T1593 – Search Open Websites/Domains
Alert Details:
Finding Type: Impersonation/Squatting Detection
Platform: Twitter/X
Account: @CompanySupport_US
Created: 2024-02-08
Followers: 47
Following: 12
Tweets: 8
Account Content:
– Profile Picture: Company logo (copied from website)
– Bio: “Official Customer Support for [Company Name]. DM for assistance.”
– Tweets:
1. “Having issues with your account? DM us for quick resolution!”
2. “Security alert: We’re seeing unusual activity. Verify your account: [link]”
3. “Password reset link: hxxp://company-support-verify[.]com”
4. “2FA not working? Contact us for immediate help.”
Linked Domains:
– company-support-verify[.]com (registered 2024-02-07)
– Registrar: Namecheap
– Hosting: 185.143.221[.]45
– Content: Fake login page mimicking company portal
Additional Findings:
– Similar accounts on Facebook (@CompanyHelpDesk) and Instagram (@Company_Care)
– Total 3 impersonation accounts across platforms
– All created within last 48 hours
– Pattern suggests coordinated phishing campaign
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify impersonation accounts | ZeroFox, Manual Review | All 3 accounts confirmed fake |
| 2. Takedown Requests | Report to platforms | Twitter/FB/IG Abuse Forms | All accounts reported within 1 hour |
| 3. Domain Takedown | Report malicious domain | Namecheap Abuse, Hosting Provider | Domain suspended by evening |
| 4. Customer Notification | Alert customers about scam | Social Media Posts, Email | Warning posted on official channels |
| 5. Internal Review | Check for compromised customers | Support Tickets, Login Logs | No confirmed compromises yet |
Jira Incident Report
Ticket: SOC-2024-047
Summary: T1593 – Impersonation Campaign on Social Media
Status: RESOLVED
Resolution: PHISHING CAMPAIGN – Takedown Complete
Priority: P2 – MEDIUM
Labels: T1593, open-web, social-media, impersonation, brand-protection
Components: Brand-Security, Customer-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: ZeroFox Brand Protection Platform.
- Alert: “Impersonating Social Media Account Detected”.
- Platforms: Twitter, Facebook, Instagram.
- Time: 2024-02-09 11:30 EST.
- Technique: MITRE ATT&CK T1593 – Search Open Websites/Domains.
2. Technical Analysis:
- Impersonation Details:
Twitter/X Account: @CompanySupport_US
- Created: 2024-02-08
- Followers: 47 (likely victims or bots)
- Tweets: 8, all directing to phishing domain
- Profile: Copied company branding
Facebook Page: CompanyHelpDesk
- Created: 2024-02-08
- Likes: 23
- Posts: 5, similar support-themed phishing
Instagram Account: @Company_Care
- Created: 2024-02-08
- Followers: 31
- Stories: 3 with phishing links
- Infrastructure:
- Domain: company-support-verify[.]com
- Registrar: Namecheap (registered 2024-02-07)
- Hosting IP: 185.143.221[.]45 (Bulgaria)
- Content: Fake login page capturing credentials
- SSL Certificate: Issued to “Company Support” (fraudulent)
- Campaign Pattern:
- All accounts created within 48-hour window
- Coordinated messaging around “support” and “account issues”
- Targets customers seeking help
- Phishing domain mimics company login portal
3. Investigation Findings:
- Timeline:
2024-02-07: Phishing domain registered
2024-02-08: All 3 social accounts created
2024-02-08 to 2024-02-09: Accounts begin posting
2024-02-09 11:30: ZeroFox detects and alerts
2024-02-09 12:00: Takedown requests submitted
2024-02-09 14:00: Twitter account suspended
2024-02-09 15:00: Facebook/Instagram removed
2024-02-09 18:00: Domain suspended by registrar
- Impact Assessment:
- No confirmed customer compromises yet
- 47 Twitter followers may have been exposed
- Support tickets reviewed: no related complaints
4. Containment Actions:
- Platform Takedowns (12:00-15:00 EST):
- Twitter: Account reported and suspended within 2 hours.
- Facebook: Page removed within 3 hours.
- Instagram: Account removed within 3 hours.
- Domain Takedown (12:00-18:00 EST):
- Reported to Namecheap abuse.
- Domain suspended by evening.
- IP blocked at firewall and DNS.
- Customer Notification:
- Official company accounts posted warnings.
- Email sent to customer base.
- Support team briefed on handling related calls.
5. Root Cause Analysis:
- Primary Cause: Attackers exploiting customer trust through impersonation.
- Contributing Factors:
- Easy to create fake accounts on social platforms.
- Customers may not verify official channels.
- Brand has large customer base (attractive target).
6. Business Impact:
- Customer Trust: Potential erosion if customers fall victim.
- Financial Impact: None confirmed.
- Reputational Impact: MEDIUM – Impersonation undermines brand confidence.
7. Remediation & Prevention:
Completed Actions:
All impersonation accounts removed.
Phishing domain suspended.
Customers notified.
IP/domain added to blocklists.
Prevention Enhancements:
Expanded brand monitoring to additional platforms.
Created rapid takedown playbook.
Enhanced customer communication about official channels.
Implemented social media verification badges where possible.
8. Conclusion:
This incident involved a coordinated impersonation campaign targeting company customers through fake social media accounts. All accounts and associated phishing infrastructure have been taken down. Customer notifications and enhanced monitoring will help prevent future incidents.
Closure Rationale: Takedown complete; customers notified; monitoring enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-09 19:00 EST