Phishing Page Creates Brand Management Emergency
Business Overview
True Citrus is a food & beverage company that sells “crystallized citrus.” Founded in 2003, True Citrus has created an innovative method of cold-pressing and crystallizing the juices and oils of citrus fruits. They make the fruit inta a convenient, shelf-stable, dissolvable format that delivers fresh-squeezed taste for use in water, beverages and recipes.
Shoppers can purchase their products from the True Citrus online store or in over 25,000 major retailers nationwide such as Walmart, Target, Publix, Meijers, Kroger and Harris Teeter. Their marketing efforts revolve around a community of loyal consumers. These shoppers regularly purchase their products and share their love for citrus. Social media, especially their Facebook page, is the most efficient and effective method of engaging this community of customers.
True Citrus Searches for a way to Remediate Facebook Phishing Scam
True Citrus relies on an active community of fans, and had just crossed the 80K follower mark on Facebook; a difficult milestone they had been working towards for months. On Tuesday, October 13th, the Digital Marketing Manager at True Citrus was going about her daily routine on social media. She was sharing recipes, usage tips and promoting their products – when she received a direct message from a “Facebook agent”. The agent, named Mollie Burke, informed the Marketing Manager that there was suspicious activity within the True Citrus Facebook account (titled “True Lemon” which is their most popular product). And, as a necessary precaution, the marketing manager needed to update her account password.
Knowing True Citrus’ Facebook page was central to their marketing efforts, the Marketing Manager responded to the message. The fraudulent Facebook agent then asked the Marketing Manager to click a shortened link and update her account password. The link redirected to a phishing page that mimicked Facebook’s login page. Threat actors can auto-generate these pages in a matter of minutes using exploit toolkits, such as SET (Social Engineer Toolkit). The Marketing Manager entered her credentials and clicked submit.
Several minutes later, Facebook sent an email notification to the CMO, who was also an admin of the Facebook page. The notification informed her that she had been removed as an admin to the True Citrus page. Moments later, the Digital Marketing Manager received the same message. As they tried to access their page, it became clear what had happened. The profile picture, cover photo, page name, and description all began to change. The attackers renamed the page “True Video 4 Fun +18". And they began disseminating malicious, clickbaity links every 15 minutes. The precise intervals at which the account posted indicates that True Citrus was the victim of a command & control attack leveraging a social botnet.
ZeroFox Works to Remediate Facebook Phishing Scam Avoiding Days of Downtime and Follower Loss
The True Citrus team immediately began crisis remediation. They were referred to ZeroFOX and we immediately began investigating the situation. Because True Citrus was not a ZeroFOX customer at the time of the attack, we were unable to prevent the compromise. Had ZeroFOX been up and running beforehand, we would have alerted them about the suspicious account (due to bot connections and other malicious posts) or the phishing link in the direct message. However, ZeroFOX used our resources to provide a solution.
Once True Citrus contacted the ZeroFOX team, we leveraged our relationships with the social network to regain administrative access within 24 hours. ZeroFOX was able to reach out to those in charge of Facebook’s security group, Threat Exchange, and revive administrative access to the True Citrus CMO and Marketing Manager. Organizations of this size often struggle to regain access to their accounts. Meaning an attacker can remain in control for days or weeks.
ZeroFOX’s relationships with the social networks saved True Citrus potentially days of downtime and tens of thousands of lost followers. Had ZeroFOX been monitoring from before the attack, True Citrus would have averted the crisis altogether. The True Citrus Facebook page would still boast over 80K followers. And there would have been no need for costly crisis remediation.
True Citrus Regains Control Over their Facebook Account
True Citrus was quick to regain control of their account; only 24 hours after the initial attack. Even so, they lost three thousand followers and had to issue an apology to their fans. The damage to their brand and customer loyalty is more difficult to quantify. But during the compromise, they received countless calls and emails from angry and concerned customers. Of course, the damage would have been all the worse had they been slower to react.
We were really impressed by the platform and everything that it could do. We had no idea that things like this happened so frequently. ZeroFOX would have stopped [a malicious actor] from reaching out to me in the first place, so of course we wish we had this in place before the attack!
-Lindsey Paolucci, Digital Marketing Manager
After remediating the attack, ZeroFOX began continuous monitoring for other malicious actors or indicators of compromise. In addition, True Citrus began using the ZeroFOX platform to gather intelligence from social media. Within minutes of inputting protected entities to the platform, they identified a fraudulent True Citrus account. They immediately issued a takedown request and the account was removed.
Looking Forward to a Phishing-Free Future
The ZeroFOX platform prevents attacks such as these by identifying malicious accounts associated with both your brand and the people that manage your brand’s presence on social media. Had True Lemon been a ZeroFOX customer, the fake Facebook agent would have been flagged as a suspicious or malicious profile. And a takedown request would have been submitted to the social network. In addition, ZeroFOX monitors authenticated accounts for social engineering attacks or phishing links in direct messages.
Using machine learning URL analysis, ZeroFOX would have immediately triggered an alert on the shortened link sent to the Marketing Manager to remediate the Facebook phishing scam. The ZeroFOX platform also helps organizations conduct investigations and collect critical intelligence. That way, organization can identify and remediate business risks that thrive on social, such as brand impersonations, fake coupons and piracy.
Considering that we spend a lot of time online with our brand, we feel great knowing that if there is something else out there we can use this system to stop anything from happening again in the future.
-Lindsey Paolucci, Digital Marketing Manager