All roads lead to Rome. Or in our case to the Indian city of Noida and a certain phone number we found when we used Google Drive API and RiskIQ to generate more leads in our investigations of the Norton scam.
Chapter 1 – It all starts with a bad sock puppet
Chapter 2 – The Art of OSINT
Chapter 3 – What’s the big deal? And who’s to blame?
Chapter 4 – The more, the better
Chapter 5 – Mistakes on social media
Chapter 6 – Tracing ownership
In the previous articles we have shown you how we identified a possible scammer, visualized connections, contacted scammers and how they are using SEO to boost the ranking of their websites within search results. In this article, we explain how we used several tools and techniques to connect the different domains and information, ultimately leading to a single person that sits in the middle of the web like a spider. Is it Baljeet, who was mentioned in the previous chapter? Or are there more people working on this scam?
To answer that question, we went back to the beginning of our investigations and revisited the URL where it all started, the “nortonhelpus[dot]com” site. The website is not just a page that displays the scam phone number, it also contains a link that leads to a subdomain: “activate.nortonhelpus[dot]com”. Here we found two separate links to Norton software placed on a Google Drive.
The person uploadeding this was apparently “Nancy Wilson”, coincidentally the same name as the person who registered the domain name “nortonhelpus[dot]com”. With a common name like this, there wasn’t a lot we could do. We needed to find out what email address was connected to the Google account used, and who was in control of it.
The email within the Whois information for “nortonhelpus[dot]com” was “email@example.com”, and to see whether this was the same email address used to upload the files, we had to find out who the actual owner of the Google Drive was. There are two ways of retrieving that kind of information. The first one involves using Firefox and opening up the Developer mode by pressing F12 after loading the page and then clicking on the Inspector. We searched for “@gmail.com” and were presented with a few options. While going over these options, we found the email address of the user hidden somewhere in the source code of the page
If the owner’s email address cannot be found in the source code of the site, there is another way to move forward: the official Google Drive API. While using the older v2 version instead of the newer and currently active API v3, we were be able to retrieve information on the owner of said Google Drive, including an email address. The specific endpoint we needed to query was “drive.files.get”. After creating a developer account and a temporary project, and by using the online test form (https://developers.google.com/apis-explorer/#p/drive/v2/drive.files.get), we were able to query the endpoint and retrieve all the metadata of the uploaded files. The email address of “Nancy Wilson”, who we know is a fake persona.
Using the following command on the Google drive we were investigating, it pulls the results shown below.
Finding the email address “firstname.lastname@example.org” gave us a new entry to start searching online for any information that could lead to the person behind the website. For this we turned to RiskIQ, where we used the PassiveTotal platform to query their massive data set of historical Whois information. Within RiskIQ you have the option to search on domain names, but also on email addresses or phone numbers that are inside the Whois registration information, which makes it extremely suitable to trace scammers via domain registration. When searching for the email address we sadly found out that only one domain was registered, the domain “amazing-wash[dot]com”. It appeared to be registered in India by a person called “Ramesh Kumar”, according to the Whois information he was living in Noida and with all this information we found a new phone number.
Though we hoped to find more domain names with our initial query, we simply pivoted on this phone number within RiskIQ for more mentions of it. And that is when we hit the jackpot.
There were more than a dozen domains connected to this single phone number. Even though we already found multiple domain names by searching for websites mentioning the phone number +1-844-947-4746 or using the address in East Peoria, all this information was connected via Whois information through a single phone number that had direct leads to the person placing the files on Google Drive. It was time to pivot again, this time on each and every phone number and email address that we found in the Whois information of all the domains. Upon finding new information, we retrieved related new domains too and so on and so forth. By using RiskIQ, manual Whois queries and going over the content of the websites, we were massively expanding the list of entities in our investigation. Starting with about 100 entities after our initial Google searches and manual labor, to well over 200 items by using the information within RiskIQ! This is how we ended up with a very large cluster of websites, fake aliases and email addresses, a bunch of new phone numbers, all circling around a person called “Ramesh Kumar”. The person with the phone number that connects more than 75% of all the collected data in this investigation in a direct or indirect way.
Of course, we couldn’t resist and tried to call Ramesh on the phone number we had discovered. After these calls, everything made total sense and we pretty much figured out how this whole network of scammers works. Stay tuned for the grand finale!
Sector035/Matthias Wilson – 18.08.2019