| ID | Name |
|---|---|
| T1585.001 | Social Media Accounts |
| T1585.002 | Email Accounts |
Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.[1][2]
For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.
Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.[1][2] These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).
| ID | Name | Description |
|---|---|---|
| G0050 | APT32 |
APT32 has set up Facebook pages in tandem with fake websites.[3] |
| G0003 | Cleaver |
Cleaver has created fake LinkedIn profiles that included profile photos, details, and connections.[4] |
| G0117 | Fox Kitten |
Fox Kitten has used a Twitter account to communicate with ransomware victims.[5] |
| G0065 | Leviathan |
Leviathan has created new social media accounts for targeting efforts.[6] |
| G0059 | Magic Hound |
Magic Hound has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.[7] |
| G0034 | Sandworm Team |
Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.[8] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
| DS0021 | Persona | Social Media |
Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.
Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: Spearphishing via Service).