Brand Monitoring Alert Details
Alert ID: BRAND-FAKE-ACCOUNTS-7842
Alert Time: 2024-02-10 09:30:45 EST
Severity: MEDIUM (72/100)
Source: ZeroFox Brand Protection Platform
Rule: “Impersonation Account Detected – Executive Targeting”
MITRE ATT&CK: T1585 – Establish Accounts
Alert Details:
Finding: Fraudulent LinkedIn accounts impersonating company executives
Platform: LinkedIn
Accounts Detected: 3
Account 1: “Michael Chen” (Impersonating CFO)
– Profile URL: linkedin.com/in/michael-chen-cfo
– Created: 2024-02-08
– Headline: Chief Financial Officer at [Company Name]
– Connections: 127
– Activity: Connecting with finance employees, vendors
– Messages Sent: “Hi, I’m updating our vendor payment system. Can you confirm your banking details?”
Account 2: “Sarah Williams” (Impersonating HR Director)
– Profile URL: linkedin.com/in/sarah-williams-hr
– Created: 2024-02-08
– Headline: Director of Human Resources at [Company Name]
– Connections: 89
– Activity: Messaging employees about “benefits verification”
Account 3: “David Rodriguez” (Impersonating IT Director)
– Profile URL: linkedin.com/in/david-rodriguez-it
– Created: 2024-02-08
– Headline: Director of Information Technology at [Company Name]
– Connections: 56
– Activity: Offering “IT support” and requesting password resets
Common Characteristics:
– All created within 48-hour window
– All use real executive names with slight variations
– Profile photos likely AI-generated or stolen
– All messaging employees with urgent requests
– No official company email addresses verified
Threat Intelligence:
– Pattern matches business email compromise (BEC) preparation
– Attackers establishing fake identities to build trust
– Next stage likely financial fraud or credential theft
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify fake LinkedIn profiles | ZeroFox, LinkedIn | All 3 profiles confirmed fake |
| 2. Employee Notification | Alert employees about scam | Email, Teams, Slack | All employees warned about fake executive accounts |
| 3. Takedown Requests | Report to LinkedIn | LinkedIn Abuse Form | All 3 accounts reported |
| 4. Impact Assessment | Check if employees engaged | Employee Interviews, Security Team | 2 employees received messages but did not respond |
| 5. Monitoring | Watch for similar accounts | ZeroFox, BrandWatch | Enhanced monitoring implemented |
Jira Incident Report
Ticket: SOC-2024-052
Summary: T1585 – Fake Executive Accounts Established on LinkedIn
Status: RESOLVED
Resolution: IMPERSONATION – Accounts Removed
Priority: P2 – MEDIUM
Labels: T1585, establish-accounts, impersonation, social-media, linkedin, bec
Components: Brand-Security, Executive-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: ZeroFox Brand Protection Platform.
- Alert: “Impersonation Account Detected – Executive Targeting”.
- Platform: LinkedIn.
- Accounts: 3 fake executive profiles.
- Time: 2024-02-10 09:30 EST.
- Technique: MITRE ATT&CK T1585 – Establish Accounts.
2. Technical Analysis:
- Fake Account Details:
Account 1: “Michael Chen” (CFO Impersonation)
- Targeting: Finance employees, vendors
- Message: Requesting banking details for “vendor payment system update”
- Connections: 127 (including 23 company employees)
- Profile: Real CFO’s bio copied, AI-generated photo
Account 2: “Sarah Williams” (HR Director Impersonation)
- Targeting: All employees
- Message: “Benefits verification” link to phishing site
- Connections: 89 (including 31 company employees)
- Profile: Real HR Director’s details copied
Account 3: “David Rodriguez” (IT Director Impersonation)
- Targeting: IT and general staff
- Message: Offering “IT support” and requesting password resets
- Connections: 56 (including 18 company employees)
- Profile: Real IT Director’s bio copied
- Common Patterns:
- All created 2024-02-08 (48-hour window)
- All using real executive names
- Profile photos likely AI-generated
- All sending direct messages with urgent requests
- None verified with company email
- TTP Analysis:
- Preparation for Business Email Compromise (BEC)
- Building trust through LinkedIn connections
- Next stage: Financial fraud or credential theft
- Targeting employees through trusted channels
3. Investigation Findings:
- Timeline:
2024-02-08: All 3 fake accounts created
2024-02-08 to 2024-02-09: Accounts build connections
2024-02-09: Accounts begin messaging employees
2024-02-10 09:00: Employee reports suspicious message to IT
2024-02-10 09:30: ZeroFox detects and alerts
2024-02-10 09:45: SOC investigation begins
2024-02-10 10:00: Employee warning sent
2024-02-10 10:30: Takedown requests submitted
2024-02-10 14:00: All accounts removed by LinkedIn
- Employee Engagement:
- 2 employees received messages but did not respond.
- No credentials or sensitive information shared.
- All affected employees identified and interviewed.
4. Containment Actions:
- Immediate Actions (09:45-10:30 EST):
- Sent company-wide alert about fake executive accounts.
- Instructed employees to block and report suspicious messages.
- Submitted takedown requests to LinkedIn.
- Real executives posted warnings on their genuine accounts.
- Takedown Results:
- All 3 accounts removed by LinkedIn within 4 hours.
- LinkedIn confirmed violations of impersonation policy.
5. Root Cause Analysis:
- Primary Cause: Attackers creating fake identities to establish trust with employees.
- Contributing Factors:
- LinkedIn allows easy creation of fake profiles.
- Employees may not verify connection requests from executives.
- Urgent requests can bypass normal security skepticism.
6. Business Impact:
- Operational Impact: Minimal (2 employees contacted, no compromise).
- Reputational Impact: Potential if employees fell victim (none).
- Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
All fake accounts removed.
Employees warned and educated.
Real executives posted warnings.
Prevention Enhancements:
Enhanced ZeroFox monitoring for executive impersonation.
Created executive protection playbook.
Implemented LinkedIn verification badges for executives.
Added impersonation awareness to security training.
8. Conclusion:
This incident involved threat actors establishing fake LinkedIn accounts impersonating company executives. The accounts were used to message employees with fraudulent requests. Rapid detection and employee warnings prevented any compromise.
Closure Rationale: Accounts removed; employees warned; no compromise.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 15:00 EST