Unravelling the Norton Scam – Chapter 2

Art is often considered the process or product of deliberately arranging elements in a way that appeals to the senses or emotions. OSINT is art and sometimes OSINT produces art.

This is the second chapter of a series of short blog posts covering the investigation of a massive online scam network. If you are a new reader, I would advise you start with the first chapter to understand the context of this project.

The Art of OSINT

This is big! So far, we have collected information on hundreds of different entities; including websites, names, phone numbers, email addresses and much more. When we started, relevant data was just dumped into a text file. We also used Hunchly during our collection and then realized we needed to structure the most important data and moved on to a spreadsheet. This worked for a while, until we felt the need to display links between entities in an easy and understandable way. A more visual approach was chosen, and Sector started what I call “The Art of OSINT”: a link chart.

Sector used Maltego for our case, but there are many alternatives you can use as well. I have grown fond of draw.io and others might use one of the various mind mapping apps and platforms. The idea behind link analysis in general is to evaluate relations and connections between entities. Link charts are the visualization of this data, which in many cases make it easier for an analyst to discover connections. Sometimes the connections are not direct, but indirect, linking entities to each other by a third-party individual.

Let us take a look at how link charts can be built from scratch. In the first chapter of our series, I posted a screenshot of one of the scam sites.

4

On here I already have multiple pieces of information that I can connect. A name, a postal address, a phone number and lastly an email address. Each of these is the starting point for further OSINT investigtions. We found that the email address was used to register the domain allbagmanufacturing(dot)com. This domain also lists an Indian phone number in the WHOIS data.

phone number register.png

It turns out, that the Indian phone number was also used to register the site roadrunneremailsupports(dot)com.

all links.png

In conclusion, both sites are likely connected. However, how do we know that this phone isn’t just a burner phone or a random phone number? More OSINT research is required to verify if the phone number is existent and who it belongs to. I also mentioned a little social engineering coming up, didn’t I? If you were hoping to read about this topic in the second chapter of our journey, I have to disappoint you. Rest assured, we have a nice story on social engineering in one of the later chapters. Now, let’s get back to our link analysis.

One piece of information leads to another and soon we find new leads and many connections between the entities. The chart itself has grown quite a bit in the meantime. At first glance, it will seem a bit chaotic. However, it is still easier to handle than relaying this information in a text-based form. For me, link charts have an artistic character. Each chart, whether built manually or automated, is one of a kind. Unique data, unique arrangements, all coming together to form a piece of modern art.

Modern Art.jpg

Put this on a large canvas, have Sector sign it and it would be something that could be found in the Guggenheim Museum of Modern Art. One day I plan to do exactly that. A vernissage on “The Art of OSINT”. Until then, let’s keep creating more masterpieces with our online investigations and link charts.

Sector035/Matthias Wilson – 04.08.2019

3 thoughts on “Unravelling the Norton Scam – Chapter 2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s