Brand Monitoring Alert Details
Alert ID: BRAND-OPENWEB-7842
Alert Time: 2024-02-09 11:30:45 EST
Severity: MEDIUM (68/100)
Source: ZeroFox Brand Protection Platform
Rule: “Impersonating Social Media Account Detected”
MITRE ATT&CK: T1593 – Search Open Websites/Domains
Alert Details:
Finding Type: Impersonation/Squatting Detection
Platform: Twitter/X
Account: @CompanySupport_US
Created: 2024-02-08
Followers: 47
Following: 12
Tweets: 8
Account Content:
– Profile Picture: Company logo (copied from website)
– Bio: “Official Customer Support for [Company Name]. DM for assistance.”
– Tweets:
1. “Having issues with your account? DM us for quick resolution!”
2. “Security alert: We’re seeing unusual activity. Verify your account: [link]”
3. “Password reset link: hxxp://company-support-verify[.]com”
4. “2FA not working? Contact us for immediate help.”
Linked Domains:
– company-support-verify[.]com (registered 2024-02-07)
– Registrar: Namecheap
– Hosting: 185.143.221[.]45
– Content: Fake login page mimicking company portal
Additional Findings:
– Similar accounts on Facebook (@CompanyHelpDesk) and Instagram (@Company_Care)
– Total 3 impersonation accounts across platforms
– All created within last 48 hours
– Pattern suggests coordinated phishing campaign
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify impersonation accounts
ZeroFox, Manual Review
All 3 accounts confirmed fake
2. Takedown Requests
Report to platforms
Twitter/FB/IG Abuse Forms
All accounts reported within 1 hour
3. Domain Takedown
Report malicious domain
Namecheap Abuse, Hosting Provider
Domain suspended by evening
4. Customer Notification
Alert customers about scam
Social Media Posts, Email
Warning posted on official channels
5. Internal Review
Check for compromised customers
Support Tickets, Login Logs
No confirmed compromises yet
Jira Incident Report
Ticket: SOC-2024-047
Summary: T1593 – Impersonation Campaign on Social Media
Status: RESOLVED
Resolution: PHISHING CAMPAIGN – Takedown Complete
Priority: P2 – MEDIUM
Labels: T1593, open-web, social-media, impersonation, brand-protection
Components: Brand-Security, Customer-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ZeroFox Brand Protection Platform.
Alert: “Impersonating Social Media Account Detected”.
Platforms: Twitter, Facebook, Instagram.
Time: 2024-02-09 11:30 EST.
Technique: MITRE ATT&CK T1593 – Search Open Websites/Domains.
2. Technical Analysis:
Impersonation Details:
Twitter/X Account: @CompanySupport_US
Created: 2024-02-08
Followers: 47 (likely victims or bots)
Tweets: 8, all directing to phishing domain
Profile: Copied company branding
Facebook Page: CompanyHelpDesk
Created: 2024-02-08
Likes: 23
Posts: 5, similar support-themed phishing
Instagram Account: @Company_Care
Created: 2024-02-08
Followers: 31
Stories: 3 with phishing links
Infrastructure:
Domain: company-support-verify[.]com
Registrar: Namecheap (registered 2024-02-07)
Hosting IP: 185.143.221[.]45 (Bulgaria)
Content: Fake login page capturing credentials
SSL Certificate: Issued to “Company Support” (fraudulent)
Campaign Pattern:
All accounts created within 48-hour window
Coordinated messaging around “support” and “account issues”
Targets customers seeking help
Phishing domain mimics company login portal
3. Investigation Findings:
Timeline:
2024-02-07: Phishing domain registered
2024-02-08: All 3 social accounts created
2024-02-08 to 2024-02-09: Accounts begin posting
2024-02-09 11:30: ZeroFox detects and alerts
2024-02-09 12:00: Takedown requests submitted
2024-02-09 14:00: Twitter account suspended
2024-02-09 15:00: Facebook/Instagram removed
2024-02-09 18:00: Domain suspended by registrar
Impact Assessment:
No confirmed customer compromises yet
47 Twitter followers may have been exposed
Support tickets reviewed: no related complaints
4. Containment Actions:
Platform Takedowns (12:00-15:00 EST):
Twitter: Account reported and suspended within 2 hours.
Facebook: Page removed within 3 hours.
Instagram: Account removed within 3 hours.
Domain Takedown (12:00-18:00 EST):
Reported to Namecheap abuse.
Domain suspended by evening.
IP blocked at firewall and DNS.
Customer Notification:
Official company accounts posted warnings.
Email sent to customer base.
Support team briefed on handling related calls.
5. Root Cause Analysis:
Primary Cause: Attackers exploiting customer trust through impersonation.
Contributing Factors:
Easy to create fake accounts on social platforms.
Customers may not verify official channels.
Brand has large customer base (attractive target).
6. Business Impact:
Customer Trust: Potential erosion if customers fall victim.
Financial Impact: None confirmed.
Reputational Impact: MEDIUM – Impersonation undermines brand confidence.
7. Remediation & Prevention:
Completed Actions:
All impersonation accounts removed.
Phishing domain suspended.
Customers notified.
IP/domain added to blocklists.
Prevention Enhancements:
Expanded brand monitoring to additional platforms.
Created rapid takedown playbook.
Enhanced customer communication about official channels.
Implemented social media verification badges where possible.
8. Conclusion:
This incident involved a coordinated impersonation campaign targeting company customers through fake social media accounts. All accounts and associated phishing infrastructure have been taken down. Customer notifications and enhanced monitoring will help prevent future incidents.
Closure Rationale: Takedown complete; customers notified; monitoring enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-09 19:00 EST