Brand Monitoring Alert Details
Alert ID: BRAND-FAKE-ACCOUNTS-7842
Alert Time: 2024-02-10 09:30:45 EST
Severity: MEDIUM (72/100)
Source: ZeroFox Brand Protection Platform
Rule: “Impersonation Account Detected – Executive Targeting”
MITRE ATT&CK: T1585 – Establish Accounts
Alert Details:
Finding: Fraudulent LinkedIn accounts impersonating company executives
Platform: LinkedIn
Accounts Detected: 3
Account 1: “Michael Chen” (Impersonating CFO)
– Profile URL: linkedin.com/in/michael-chen-cfo
– Created: 2024-02-08
– Headline: Chief Financial Officer at [Company Name]
– Connections: 127
– Activity: Connecting with finance employees, vendors
– Messages Sent: “Hi, I’m updating our vendor payment system. Can you confirm your banking details?”
Account 2: “Sarah Williams” (Impersonating HR Director)
– Profile URL: linkedin.com/in/sarah-williams-hr
– Created: 2024-02-08
– Headline: Director of Human Resources at [Company Name]
– Connections: 89
– Activity: Messaging employees about “benefits verification”
Account 3: “David Rodriguez” (Impersonating IT Director)
– Profile URL: linkedin.com/in/david-rodriguez-it
– Created: 2024-02-08
– Headline: Director of Information Technology at [Company Name]
– Connections: 56
– Activity: Offering “IT support” and requesting password resets
Common Characteristics:
– All created within 48-hour window
– All use real executive names with slight variations
– Profile photos likely AI-generated or stolen
– All messaging employees with urgent requests
– No official company email addresses verified
Threat Intelligence:
– Pattern matches business email compromise (BEC) preparation
– Attackers establishing fake identities to build trust
– Next stage likely financial fraud or credential theft
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify fake LinkedIn profiles
ZeroFox, LinkedIn
All 3 profiles confirmed fake
2. Employee Notification
Alert employees about scam
Email, Teams, Slack
All employees warned about fake executive accounts
3. Takedown Requests
Report to LinkedIn
LinkedIn Abuse Form
All 3 accounts reported
4. Impact Assessment
Check if employees engaged
Employee Interviews, Security Team
2 employees received messages but did not respond
5. Monitoring
Watch for similar accounts
ZeroFox, BrandWatch
Enhanced monitoring implemented
Jira Incident Report
Ticket: SOC-2024-052
Summary: T1585 – Fake Executive Accounts Established on LinkedIn
Status: RESOLVED
Resolution: IMPERSONATION – Accounts Removed
Priority: P2 – MEDIUM
Labels: T1585, establish-accounts, impersonation, social-media, linkedin, bec
Components: Brand-Security, Executive-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ZeroFox Brand Protection Platform.
Alert: “Impersonation Account Detected – Executive Targeting”.
Platform: LinkedIn.
Accounts: 3 fake executive profiles.
Time: 2024-02-10 09:30 EST.
Technique: MITRE ATT&CK T1585 – Establish Accounts.
2. Technical Analysis:
Fake Account Details:
Account 1: “Michael Chen” (CFO Impersonation)
Targeting: Finance employees, vendors
Message: Requesting banking details for “vendor payment system update”
Connections: 127 (including 23 company employees)
Profile: Real CFO’s bio copied, AI-generated photo
Account 2: “Sarah Williams” (HR Director Impersonation)
Targeting: All employees
Message: “Benefits verification” link to phishing site
Connections: 89 (including 31 company employees)
Profile: Real HR Director’s details copied
Account 3: “David Rodriguez” (IT Director Impersonation)
Targeting: IT and general staff
Message: Offering “IT support” and requesting password resets
Connections: 56 (including 18 company employees)
Profile: Real IT Director’s bio copied
Common Patterns:
All created 2024-02-08 (48-hour window)
All using real executive names
Profile photos likely AI-generated
All sending direct messages with urgent requests
None verified with company email
TTP Analysis:
Preparation for Business Email Compromise (BEC)
Building trust through LinkedIn connections
Next stage: Financial fraud or credential theft
Targeting employees through trusted channels
3. Investigation Findings:
Timeline:
2024-02-08: All 3 fake accounts created
2024-02-08 to 2024-02-09: Accounts build connections
2024-02-09: Accounts begin messaging employees
2024-02-10 09:00: Employee reports suspicious message to IT
2024-02-10 09:30: ZeroFox detects and alerts
2024-02-10 09:45: SOC investigation begins
2024-02-10 10:00: Employee warning sent
2024-02-10 10:30: Takedown requests submitted
2024-02-10 14:00: All accounts removed by LinkedIn
Employee Engagement:
2 employees received messages but did not respond.
No credentials or sensitive information shared.
All affected employees identified and interviewed.
4. Containment Actions:
Immediate Actions (09:45-10:30 EST):
Sent company-wide alert about fake executive accounts.
Instructed employees to block and report suspicious messages.
Submitted takedown requests to LinkedIn.
Real executives posted warnings on their genuine accounts.
Takedown Results:
All 3 accounts removed by LinkedIn within 4 hours.
LinkedIn confirmed violations of impersonation policy.
5. Root Cause Analysis:
Primary Cause: Attackers creating fake identities to establish trust with employees.
Contributing Factors:
LinkedIn allows easy creation of fake profiles.
Employees may not verify connection requests from executives.
Urgent requests can bypass normal security skepticism.
6. Business Impact:
Operational Impact: Minimal (2 employees contacted, no compromise).
Reputational Impact: Potential if employees fell victim (none).
Financial Impact: None.
7. Remediation & Prevention:
Completed Actions:
All fake accounts removed.
Employees warned and educated.
Real executives posted warnings.
Prevention Enhancements:
Enhanced ZeroFox monitoring for executive impersonation.
Created executive protection playbook.
Implemented LinkedIn verification badges for executives.
Added impersonation awareness to security training.
8. Conclusion:
This incident involved threat actors establishing fake LinkedIn accounts impersonating company executives. The accounts were used to message employees with fraudulent requests. Rapid detection and employee warnings prevented any compromise.
Closure Rationale: Accounts removed; employees warned; no compromise.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-10 15:00 EST