BLOG

Executives Targeted with Account Hack, Impersonations and Other Social Media Security Threats

Recent posts made by takeover of executive, celebrity and corporate accounts that hyped a cryptocurrency scam targeting their large followings have proven once again how crucial it is to protect your cyber footprint with a robust social media security plan in our digital-first world.  Account takeover (ATOs) (see also: account hack) and impersonations are commonplace and are used to wreak havoc on unsuspecting targets — your fans, customers and employees — all while damaging your brand and reputation.  And they’re on the rise. During the first half 2020, ZeroFOX saw a 95% increase in executive/VIP-related threat activity over the prior six month period, totaling over 1.2M incidents for over 7,000 executives ZeroFOX protects. Nearly 40% of the alert volume generated resulted in some form of immediate action including automatic content remediation or a takedown. ATOs can be prevented, and the harm that comes from them mitigated, with good practice and a little precaution.  

The Challenge

Social media accounts are often taken over and used for scams such as the recent crypto giveaway scams. A crypto giveaway is a scam where people are enticed with a high payout of cryptocurrency if they invest a small amount of bitcoin into the target address. This is typically done by impersonators and coordinated behaviors from other accounts claiming that they received bitcoin. Once the money is sent, the scammers flee with the money and never pay out for their entries. 

ZeroFOX Alpha Team has seen this on a number of social media platforms, and it usually involves a hacked account or an impersonator. Hacked accounts are typically the result of a credential stuffing attack – where victim passwords are obtained via buying data breaches on the dark web. Attackers use old passwords to gain access. It appears this was the case for this supposed administrator, but has not been confirmed.  Administrators too often inadvertently post credentials where they don’t belong – within easy public access.

Account impersonations are an even bigger problem.  For instance, VIPs such as celebrities often have several imposter accounts, some with followers in the tens of thousands.  Oprah Winfrey was reported at one time to have 7 active imposter accounts with large fan bases (see Find the Fake).   Most enterprise CEOs have significant followings as well and are impersonated to do everything from phishing employees, conducting BEC attacks to scamming customers.  Corporations and their executives often think they are safe from impersonations that more frequently target high-profile celebrities when in actuality brand and executive impersonations are incredibly common and can be much more detrimental than their celebrity counterparts.  In a prior year period, ZeroFOX saw an over 300% increase in fake accounts impersonating customers’ top executives and VIPs.

Chaos Creates Opportunity…..for the Bad Guys

Executive threat activity grew markedly in April 2020, and then again in June 2020, as Covid-related quarantine and remote work had many feeling disrupted, unaccustomed to new work habits and perhaps a bit less guarded in their digital communications.  Attackers clearly realized and exploited the opportunity such chaos creates.  And attackers know how to diversify; while more trafficked social networks such as Facebook, Twitter and Instagram naturally comprise the majority of alert volume, there are significant portions within surface web sites, forums and news sites, blogs, and the dark web.  No industry is immune either, however attackers seem to favor lucrative, target-rich industries such as Finance, Media and Entertainment, and Retail.

Figure 1: Year to date Alert Volume by Month for Executive Entities across Social Media Data Sources (Source: ZeroFOX).

Corporate social media account takeover attempts occur nearly 30 times per year on average for every institution (nearly 3 per month). Additionally, on average 4 credential compromises (of which 2.3 originate from breach databases) occur per executive annually, which often lead to takeover or impersonation. For example, each FinServ organization has on average 30 targeted executives.  Read more about this in our Financial Services Digital Threat Report.

The Costs of Account Takeover

The recent account hijacking scam that affected social accounts for highly influential figures, including celebrities, politicians and business owners, has revealed one major theme: No one is exempt from malicious activity. While we may not be able to control if a malicious actor chooses a specific account to victimize, we can prioritize efforts that minimize costly impacts of a hack. 

When it comes to examining the impact of a social media breach, response speed is a critical factor. Larger enterprises and influential figures are a ripe target for malicious actors as they can reach thousands of followers with a single post. Popular brands may have millions of followers.  Using cybervandalism and pivoting tactics, they hijack influential accounts to share negative statements, promote phishing links or, in this recent case, obtain immediate bitcoin payments. The account owners that have the proper security measures in place to immediately address those threats will suffer the least amount of impact, compared to those that are unprepared to tackle the challenge. Learn more in our blog post, “What is the Impact of a Social Media Account Hijacking?

Recommendations for Protecting your VIP/Executives from Account Hack

For authenticated and owned accounts (personal or corporate), inappropriate content can be deleted before it ever becomes public – this may include PII, credentials, IP, customer data, and more.  Offensive language can be removed and malicious links or attachments deleted.  This avoids further remediation or any reputational harm altogether.

For impersonating accounts outside your direct control, timely awareness and response is key to mitigating damage.  Early warning of attempted ATO’s or of physical threats to executives, awareness of attack planning via dark web chatter, advertisement of breached data or stolen credentials, all provide real-time situational awareness based on indicators that allow organizations to take quick remediation actions.  Actions can range from an account freeze to takedown of impersonating infrastructure, depending on severity and ToCs violation.  Doing so quickly, with efficiency and effectiveness, can prevent damages and encourage attackers to move to softer targets.

The following recommendations are helpful to any organization big or small ;

  1. Institute awareness training (to protect both your personal brand and organization reputation)
  2. Continuously monitor for fake accounts (and domains!) and take immediate action to remove them before they can harm
  3. Routinely monitor public accounts (Pastebin or GitHub, for example) to avoid inadvertent sharing of credentials, IP or customer data 
  4. Watch attacker forums (on dark web and elsewhere) for chatter on sale of passwords, credentials or planned attacks
  5. Harden owned account settings to lock down if PoC, image, ownership, or other aspects change.
  6. Implement Digital Risk Protection for your executives and VIPs

Summary 

From high-profile executives to small business CEOs, impersonations and account takeover on social media can negatively affect reputation, brand loyalty and customer and employee trust. Bad actors pretending to be your execs often target employees with spear phishing attempts and spread slanderous messages and offensive content. Organizations must make a concerted effort to protect executives from fraudulent profiles in order to protect not only the executive, but the entire business.

Have questions about digital risk protection?

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.