The Impact of OSINT on Christmas

Proper intelligence is vital to prepare military and law enforcement operations or to provide information to political and business leadership prior to decision making. However, these are not the only people relying on good intelligence to get the job done. I had the honor of interviewing a very special person on his views of intelligence and how his organization utilizes it for one of the most challenging tasks known to mankind.

Sir, it is such an honor to have you here. Tell us a little about yourself. What exactly is your job and how does it involve intelligence work?

I go by many names, but please just call me Santa. I am in charge of a large organization tasked with bringing joy and fun to children worldwide on Christmas Eve. While I’m pretty sure you all know what I do during the Christmas night, not many people know what happens prior to this.

My organization and I have roughly 24 hours to deliver presents to children who deserve them. In order to accomplish this, a lot of planning is necessary and this planning is based on the information I receive from an intelligence agency within my organization. In Santa’s Secret Service, or S3, we mainly conduct GEOINT along with OSINT to make sure everything runs smooth on that one special night. Oh, and don’t confuse us with the Amazon web service.

Santa, while most of my readers are acquainted with terms such as GEOINT and OSINT, could you please explain what they are and possibly provide a use case from your organization.

Sure. I only have a limited timeframe to make sure I deliver everything to the right address. The route I take has to be carefully planned. The number of children on this world is steadily growing, more deliveries leave less room for mistkes. Even though my sleigh travels at an incredible speed…

How fast and how does that work?

I’m afraid that is classified. In order to properly plan the route, I rely on precise satellite imagery and maps. Imagery and maps from search engine providers are not up to date and commercial satellite imagery is not detailed enough. Keep in mind, my team has to figure out the best way into a chimney. We need a resolution of less than 0.3m to do so. Before Christmas, my sleigh is outfitted with an ultra high resolution imaging system and flies several sorties. While the actual collection of the imagery does not take that long, creating maps and the final route based on this is a bit more time-consuming. The whole process I just described is referred to as geospatial intelligence, or GEOINT.

Wow, that alone is probably a large amount of data collected each year. How do you process such massive amounts of data?

We have our own server infrastructure at S3. Located in vicinity of the North Pole, our energy consumption is lower than usual, because we have a natural cooling system.

What happens after you have mapped the world?

I forgot to mention one thing. In order to plan the route, we need to know who will receive a delivery. Luckily, I have information on the address of each child from a classified source. But, does this child even deserve anything? We have to figure out who was naughty and nice. A lot of this is done through open source intelligence, or OSINT.

While we could use classic signals intelligence (SIGINT) to tap into communications and try to answer the question who is naughty or nice, we have found that OSINT provides the best “bang for the buck”. S3 has a very large team of OSINTers, who mainly monitor social media activities.

What exactly is your team looking into?

My OSINTers start off looking into profiles of the children, but not only to see how they behave. Depending on the region they live in, the platforms they use will differ. From Ask.fm to Weibo, there are many differnt sources to look at. We have seen TikTok blow up over the past months, but we also still obtain a lot of information from “older” platforms such as Facebook and Pinterest. These platforms also provide leads on the interests of our targeted subjects, which enables my organization to match them with the perfect present. We not only look at the children, but also monitor profiles of their family and friends, since relevant information is hidden here as well. As you can see, this is all a very deep intrusion into personal privacy. Therefore, we have very strict rules on how to handle this data, a massive auditing and compliance system and constant trainings for my team. If you thought GDPR was challenging, you wouldn’t want to know how much effort we put into protecting the privacy of our subjects!

Many children nowadays are active in closed communications, such as messengers, or they have restricted public access to their acounts by changing their privacy settings. How do you cope with this?

There are two different approaches we can take here. The first one is what you would call virtual HUMINT, or VUMINT. We try to place someone within a closed chat group using a false persona. For example, a group of friends has a WhatsApp channel with 20 participants. Using OSINT, we create a sock puppet credible enough to be invited into this group. In cases in which this works, we then can then instantly monitor 20 people. Of course, such actions are subject to much stricter rules and regulations that normal OSINT and are not performed often.

The second approach would be a classic computer network operation, or “hacking” an account. This is very rarely done and the methods and techniques are highly classified.

What about children who don’t have access to modern communications?

In this case, we rely on classic human intelligence, or HUMINT. Throughout the world, we have a network of sources directly providing us information. A lot of this is hearsay, so we try to confirm information with other sources before processing it. This actually also applies to data won through OSINT.

However, I would like to point out that at the end of the day we will never gather everything on everyone. Have you ever wondered why a spoiled and misbehaved child you knew received a nice present anyway? No matter how much effort we put into intelligence collection, there will always be a delta between what information is out there and which information we have obtained. I think that is the nature of intelligence work in general.

Circling back to OSINT, how does S3 ensure that they are up to date on new tools and techniques?

We do OSINT to enable OSINT. Of course, we follow #OSINT on Twitter and we also have someone monitoring osint.team as well as various blogs such as osintcurio.us and your blog.

Wow, I’m honored to have made it on S3’s reading list. I know you are quite busy, so we can wrap it up here. Is there anything else you would like to add?

Merry Christmas, happy OSINTing and I wish you all the best in 2020!

MW-OSINT / 22.12.2019

Car Spotting and OSINT

Looking for specific car? Next to googling it, you could try a car spotting site to find pictures that might provide further leads for your OSINT investigations.

A while back, @Wondersmith_Rae wrote a great article on maritime OSINT. In this, vessel tracking sites were mentioned, which allow us to identify ships and monitor their movements. Wouldn’t it be neat to have something similar for cars?

While we will never be able to track and identify cars just as good as we can track large ships, this article will provide some useful hints that can help with OSINT on vehicles. But which data is relevant when researching cars and motorcycles? As most vehicles are mass-produced, research based solely on the manufacturer, model and color might be a bit challenging. So, we will need unique identifiers such as the VIN or license plate.

The VIN, or vehicle identification number, is a 17-digit code which is assigned to every vehicle when it’s manufactured. The are several paid databases that will enable looking-up a VIN and retrieving information on the vehicle and possibly its history. If you don’t want to spend money, just try googling the VIN. Since it is so unique, you probably won’t receive a lot of results and thus not many false positives.

One of my favorite free sites to obtain information on VINs and vehicles in the US is Poctra. This site crawls the web for salvage vehicles and archives all available information and pictures. Let us see what Poctra reveals on the VIN I had googled.

High-res images, the location of the auction, mileage and sometimes even a license plate. There are plenty of pivot points to conduct more OSINT here.

If we have a license plate, and the car is something a car spotter might take interest in, we might find images of it on various car spotter websites. Next to PlatesMania, my favorite site is Autogespot. Both allow to search by license plate.

Enough theory, time for a practical example. Arsenal London football player Pierre-Emerick Aubameyang was often seen with a Ferrari LaFerrari. Even though he lives in London, this vehicle does not carry a British license plate. A great repository of license plates can be found at World License Plates, in case you have to figure out which country the license plate originates from first. It turns out that Aubameyang’s Ferrari is registered in Germany. His license plate is AIB-Q 1414. Let us see if we can find this car on Autogespot.

By clicking on “More Filters” on the top right of the website, we can define our query.

This leads to several results, each containing multiple high-res images. Not all images are publicly accessible if you are not a paying member of Autogespot, but there is a workaround to retrieve the pictures hidden behind the paywall. We’ll get to that in a minute.

The top left entry shows that Aubameyang’s Ferrari was spotted in London on 21 September 2019 and that this sighting contains 10 pictures. The spotter also links his Instagram account, which might lead to further images. So, make sure you always pivot your investigations to these additional profiles as well.

Sometimes, we can retrieve the other pictures from Autogespot even without paying for a premium account. Just copy the URL of the page you are on and query it in Google. Then have a look at the image results. Here are the other nine images:

The information we now obtained is once more useful as a pivot point for further investigations. Maybe we can geolocate the exact location the vehicle was parked at and thus know where Aubamayeng was on 21 September 2019 after lunch. Maybe these pictures could provide evidence that a vehicle was damaged prior to a current insurance claim. There are many reasons why tracking and identifying vehicles may be useful. When researching license plates, keep in mind that a simple search engine query or query within social media might also lead to results. In our case, it leads us to results on Twitter, Instagram and press articles, next to the car spotter sites we have looked at already.

There are plenty of other platforms worldwide that track vehicles and allow queries by license plate, another one of my personal favorites is Nomerogram (Номерограм) in Russia. This site not only displays luxury cars, but also every-day, ordinary cars. I guess this is related to Russian’s love of dashcams, resulting in a massive amount of video and imagery on all kinds of traffic participants.

With the techniques and sources shown above, a vehicle can be manually tracked to a certain extent. This tracking, however, will rely on geolocating the image. To practice this, I recommend participating in the @quiztime geolocation challenges on Twitter. In a future blog article, I’ll look at Wigle and see how this platform could help track cars as well.

Until then, have fun looking up exotic cars on the aforementioned sites. That is, unless you prefer going through pictures of banged-up, rusty Ladas on Nomerogram. Hey, I’m not judging!

MW-OSINT / 07. December 2019

Researching Right-Wing Extremism in Central Europe

How to start investigations on right-wing extremists? Work your way through multiple social media platforms and combine information to generate leads!

The recent Iron March Leak once again showed the extent of right-wing extremism within our society. This leak provided a massive mount of data to conduct online investigations. While Iron March was shut down, the individuals behind it still use many other platforms to disseminate their thoughts and ideas and to communicate among each other. Of course, the new communication channels they use won’t be found with a mere Google search. In order to find such sites, we will have to follow the digital breadcrumbs across various social media networks. In this article, I would like to show starting points for OSINT research and how to work your way through different platforms to identify potentially relevant information when tracking down right-wing extremists.

Looking through social media, we will unfortunately find lots of people that follow a racist or fascist ideology. These people might not be the actual targets we are looking for, but they could lead us to them. Especially in Germany and other central European countries, many people have left Facebook and Twitter after their accounts were temporarily suspended or deleted upon sharing hate speech, which under certain circumstances is a criminal offence. They found refuge on the Russian Facebook-clone VKontakte (short: VK) and Gab, as an alternative to Twitter. In order to access information on these platforms, we will of course have to create sockpuppets. VK also allows logging on with a Facebook-account, as do many other social media platforms.

Let us start our research from scratch. First, we will have to identify individuals that might be worth investigating. Since many of these individuals think of themselves as “patriots” in Germany, searching for this term might lead to some initial results on VK.

Et voilà, the first VK-group to investigate. As you can see, this group also cites a Facebook-page. However, the Facebook-presence has been deleted and does not exist anymore. Going through the posts on this page and having a look at the members clearly shows that we are on the right track. Below are profile pictures of some of the members. Many images shown here, such as the swastika, are banned by law in Germany. Yet, on VK German citizens are free to display their ideology without any notable repercussions.

While the information posted within the VK-Group “German Patriots” might not lead to real extremist sites, the information shared by members of the group on their personal profiles could get us there. With no way of automating the next step, one of the most important OSINT traits is now needed: perseverance. This means we will have look at a number of these personal profiles manually to find new leads. Instead of going through all 2000+ member-profiles, let us concentrate on the ones with the most disturbing profile pictures. One interesting aspect during this investigation, is the fact that many people that can be found here have Russian-ancestry. This means we might also find information on another Russian social platform called Odnoklassniki (short: OK). Keep this in mind when conducting OSINT on people of Russian origin.

It doesn’t take long and we find hints towards the use of other platforms and communication channels outside of VK. Some individuals have posted their Skype-usernames, some link Telegram channels. One post from January 2018 describes an independent message board outside of Facebook and VK. The author invites people to join this outside platform by commenting or liking the post, after which he will get in contact with them and invite them to the newly created site. Interestingly, he doesn’t disclose the name or URL of his VK and Facebook alternative.

The author hasn’t publicly been active on VK since this post, although he did access it just two days ago. VK displays the last time of user activity, a useful feature to determine if the account is still active, even if nothing is publicly posted.

Regarding the unspecified platform mentioned above, I remembered stumbling upon such a site while conducting a similar search on Facebook. There I had also started by looking for profiles and pages containing derivations of “patriot”. This led me to a page called “Patrioten-Treff”, promoting a Facebook-like platform.

It turns out that this project started in early or mid-2017 and by December 2017/January 2018 it had opened to public. It was exactly the type of right-wing extremist forum I was looking for.

Online shops, racist discussions, team speak servers, organized events; “Patrioten-Treff” had it all. By linking the information I had found on VK and Facebook, it is likely that the person I had come across on VK was actually part of the team behind this new right-wing social media alternative. By early 2019 it was offline, but the content displayed there was more radical than anything seen on standard social media. Regarding the reason it shut down, it could be out of lack of funding. Before “Patrioten-Treff” was taken down, they requested funding to cover the expenses. Payment could be made by Bitcoin, direct transfer, Alipay and Paypal. Again, providing further leads to conduct OSINT investigations.

Patrioten-Treff had 2,500 users and was not even able to raise 80 Euros a month. I guess right-wing extremists are a bit stingy. Next to financial support, content moderators were needed. These moderators would communicate using WhatsApp.

While Patrioten-Treff is currently offline, the Facebook-page continues to be active every once and while. A recent post from September 2019 shared a Telegramm channel of the German neo-Nazi party Der III. Weg.

In this cross-domain investigation, manually searching for information on one social media platform led us to a plethora of new starting points to dive into. From VK to Skype, from Facebook to Telegram, from Bitcoin to WhatsApp; there are now plenty of leads to follow up upon. Not all leads can be investigated with OSINT, but this type of intelligence might provide the information we need to conduct Virtual HUMINT (VUMINT), enabling an infiltration of the new message board, Telegram channels or WhatsApp groups. I didn’t go that far, but I’m sure someone or some organization did.

By the way, the methodology described above can also be used to track other extremist groups. I wonder if other groups are just as cheap as the right-wing that couldn’t raise 80 Euros to host a website?

MW-OSINT / 01.12.2019

Communications Security on Iron March – An Intelligence Analysis

How do right-wing extremists secure their communications? The recent Iron March data leak gives insight into how its members tried to communicate outside the message board.

The recent leakage of a massive white supremacist message board named Iron March sparked a wave of independent investigations by people all of over the world. The data contained in this leak provides many leads to practice OSINT skills in various disciplines. Whether it is googling usernames, correlating email addresses to social media profiles or looking up information on some of the domains shared on this message board; the breached data is a starting point for a plethora of different OSINT methods. Of course, I couldn’t resist and also took a dive into this leak as well! I decided to have a look at the content that was posted on Iron March. Not so much OSINT here, it is more general intelligence analysis I will be applying. One of the challenges was actually defining a clear goal. What did I want to unravel here? Did I want to reconstruct organizational structures? Did I want to investigate individuals and their backgrounds? Did I want to look at certain events?

Without narrowly defined intelligence requirements and thus key intelligence questions that should be answered, approaching such a big amount of data in a methodological way is nearly impossible. After reading the first couple of Iron March messages, I realized that the users often discussed others means of communication outside of the message board. So, I decided that my first goal would be to analyze the communications, security measures and the evolution of communications within this network. Having a better understanding of this topic will surely help the OSINT community to understand where to look for further information during this investigation.

When Iron March was set up, many users migrated from a previous platform called ITPF. Background information on both platforms can be found here. The first posts on Iron March clearly showed, that the users would regularly communicate outside of the message board as well. Among the these outside channels were mainly Skype, MSN, AIM and Facebook.

“You should download Skype it is a good service. Also you can use it just like MSN; you can type, I type most of the time.” Post on 23.09.2011 by Kacen (ID2)

“Not sure if you’re interested but I thought I’d ask, I’m launching a study group for American Fascism/Nationalism quite soon via facebook.” Post on 24.11.2011 by American_Blackshirt (ID35)

Eventually, members of Iron March even set up Skype groups to ensure communications. This enabled them to communicate directly with each other without delay, as it would have been on Iron March. At the time, Skype appeared secure to the members of the message board and was soon the preferred outside communication channel. Occasionally, other channels would also be used to communicate, sometimes even including gaming platforms.

“We have a good number of people in the Skype group and you should join.” Post on 25.01.2011 by Blood and Iron (ID3)

“do you have facebook, or steam, bf3 battlelog or something where us 2 can converse?” Post on 02.07.2012 by unkown

The main reason people would use external messengers to communicate, was that they were more practical than using Iron March’s private messaging system. To gain access to Iron March PMs, the site had to be open in the browser. MSN and other messengers were client-based and could run in the background, immediately informing users of incoming messages. By late 2012, AIM and MSN were also still used frequently, something that would soon change after Microsoft discontinued MSN as a service in 2013.

“Hobbit, do you have MSN? A lot more practical than talking through PMs.” Post on 27.06.2012 by Damnatio Memoriae (ID279)

“Alright, I’ll get back to you again tomorrow, with my AIM, MSN, and SKYPE info.“ Post on 10.10.2012 by social_justice (ID17)

As early as mid 2012, many users were slowly turning away from Facebook, stating privacy issues as their main reason.

“I don’t use facebook anymore, it gives too much information away even if you use a proxy and false information, it’s an easy way to keep a “paper trail” on someone, so to speak.” Post on 03.07.2012 by Nebuchadnezzar II (ID288)

The use of external channels remained mostly unchanged until 2015, when new messaging and chat services started to appear on Iron March. Telegram and Tox were among the most popular services and were viewed as more secure than Skype. This also led to the exchange of Tox IDs, so the members could identify each other on the chat application.

“I need to get in contact with you. Download Tox and make an account with a secure login.” Post on 08.08.2015 by Fascism=Fun (ID7962)

“Another thing I wanna recommend is to use Telegram or Tox instead of Skype for organisational procedures and meetings. These are really good ways of communicating, and I know of three NatSoc and Fascist organisations within the U.S that use these services because of their security.” Post on 05.02.2016 by TheWeissewolfe (ID9304)

The post above is actually from the deputy leader of the infamous Atomwaffen Division. Whenever someone was interested in joining this organization, they were told to use Tox or Telegram for further communications. However, there was still a reasonable amount of doubt regarding the security of these new communication channels. Discussions about adding an extra layer of encryption ensued.

“Yeah I’m well aware the skype is compromised. Literally everything Microsoft is and has been for over a decade. Tox isn’t but it’s a WIP. Discord I don’t know much about but no doubt it is too. Secure channels aren’t really possible without doing your own encryption.” Post on 21.05.2016 by Xav (ID9476)

While most members of Iron March were very naïve in terms of operational security or communications security, some members had a fairly good understanding of the risks in open communications. One of these members was Atlas (ID9174), who claimed to be responsible for network and computer security for the British group National Action.

“Hi, I’m in charge of computer and online network security with National Action.” Post on 23.08.2015 by Atlas (ID9174)

Atlas often provided guidance on the use of secure emails and encryption with PGP. Overall, members were made aware not to use Hushmail and to rely on Protonmail or Tutonota instead. When sending emails to other providers they were to use PGP. He even wrote a PGP guide for National Action and distributed it on Iron March as well.

“Good job I just designed a PGP guide for National Action then, I’ll email you it, what’s your email?” Post on 01.09.2015 by Atlas (ID9174)

Other activities included checking the security of hosting servers. One of the most interesting conversations I have found in this dump so far was between Atlas and the founder and leader of the Atomwaffen Division, Odin. In September 2015, Odin reached out to Atlas regarding issues with PGP.

“Hello comrade I need to have my pgp shit setup properly and to be able to use it for communications with certain people before this weekend. I would be very greatful if you could help me.” Post on 14.09.2015 by Odin (ID7600)

Although many security measures were put in place, a lot of members of Iron March still were fairly confident that their activities had not drawn the attention of law enforcement yet. Some even openly expressed their total negligence of security openly on the message board. There was more fear of being doxed by left-wing organizations than becoming a target of police investigations.

“I’m glad you all understood the necessity for security. Here on IM I was shot down for daring to suggest such a necessity on the basis of: We don’t need it, we’re not ISIS. I ripped off all my ideas from some corny website anyway (that website being my blog btw lol).” Post on 04.05.2015 by Atlas (ID9174)

“The use of TOR, fake names, and these secure channels is more of security culture thing – we are not being actively monitored by say, the government (at least that is my personal opinon based on the information I have) but it encourages people to act more sensibly so they don’t get themselves doxed by leftists. I don’t like hearing about workplaces getting phoned up or individuals being exposed in the newspapers. Since the mirror article on my a couple of years ago practically everyone has been able to maintain a degree of anonymity. Obviously if they ever decide to raid anyone they are not going to find anything that can be used to build a case around them.” Post on 10.04.2016 by Daddy Terror (ID7)

Given the fact, that Daddy Terror (ID7) was the leader of the National Action movement in Great Britain, this statement is truly remarkable and shows how safe some of the members of these extremist communities felt in their online communications. Next to the platforms already revealed above, there were several other communications channels that were occasionally mentioned, e.g. Discord and even MySpace in the early days of Iron March. In the end, the use of external secure communications and additional encryption were blasted when the message board itself was hacked in 2017 and the data was recently leaked, exposing the identities and ideas of many members.

Thank god the Iron March admins didn’t have proper security measures in place and hopefully this data leak will help law enforcement worldwide investigate some of the malicious activities planned and discussed on the message board. Until then, I’ll continue to dig into this data, together with other OSINT enthusiasts, and see what stories can be unraveled next.

MW-OSINT / 09.11.2019

The Importance of Grammar in Forensic Linguistics

Commas matter and grammar matters. Especially when you deal with threat letters, poison pen letters or even ransom notes. In this case, grammatical errors, misspellings or unique writing styles might reveal the person behind the mischievous texts. Are you dealing with one author or multiple individuals? Can you link these letters to other reference documents, e.g. internal employee emails? The art of analyzing written documents in investigations is a subset of forensic linguistics.

While I won’t go through any real examples in the following article, I would like to share my experience when dealing with such cases. First up, I won’t even try to get into graphology. This is the analysis of handwriting, in an attempt to evaluate personal characteristics or the psychological state of the writer.

Graphologist: “The author is a male and he is very angry, possibly holding a grudge against the recipient.”

Intel analyst: “No shit, sherlock. The handwriting is sloppy and why else would he write a poison pen letter?”

The most important tool for me is a set of highlighters. If dealing with multiple documents, I found it easer to print them out and to mark peculiarities with the highlighters and also add handwritten notes of my own. I use different colors for different categories. One for spelling mistakes, one for grammatical errors, one for the use of uncommon words or unique word-creations and lastly the final color for certain style elements.

Let’s start off with the first category: spelling mistakes. Many people have distinct spelling mistakes they constantly make. And not always will they recognize mistakes when proof-reading their own work. Sometimes these mistakes might also indicate if the author is a native speaker or not. A German writing an English text might automatically use Telefon instead of telephone. Furthermore, many languages capitalize nouns, so look out for this as well. Other spelling mistakes may derive from auto-correct functions in office. When I open Word, it assumes I’ll write in German and does the autocorrect based on the German dictionary. Newer versions of Word notice I’m typing English after about one sentence and then automatically adjust, older versions might need a manual reset. When typing or writing quickly, one may produce clerical errors, such as forgetting letters, adding letters or switching letters. In this case, always check to see how letters are allocated on the keyboard to understand the origin of these typos. Keep in mind that different countries use different keyboard-layouts!

The next one is a bit more tricky. I have to admit, my grammar isn’t the best. I usually just know that something looks weird, without being able to grasp the actual reason or grammar rule. So, in this phase of investigations I often google certain grammar rules to make sure my hunch was right. From simple things such as mixing up your and you’re, to the inproper use of commas, there are many different errors that might show up in multiple documents. One important thing to remember is, that it will be the sum of indicators that lead to successfully solving the case. It most likely won’t just be one blatant error.

Depending on an individual’s background, they may have a different spelling of words. It may vary between British or American English, it may contain colloquial terms or even slang and different dialects. Everything that differs from the standard form of writing in the specific area you are working in, should be marked with a highlighter. Using modern-day slang might indicate a younger person, old-fashioned terms will probably not be used by a kid. I once had a case, in which the author creatively invented new curse words I had never heard of before. Some of them where so hilarious, I actually added them to my personal vocabulary. Another example would be the use of local dialect. In Germany bread rolls are named differently in many regions: Brötchen, Wecken, Semmel, Schrippe, Krossen, Normale, Rundstücke; these are all the same thing! I’m sure similar examples can found in other languages and for more relevant terms as well. Try to figure out which region the word originates from. Again, a little googling can be helpful here.

Next up, concentrate on the style of writing. Is there anything that sticks out? Specific punctuation, such as the frequent use of exclamation marks or multiple dots…. Also, concentrate on the sentence structure. Is the author using short sentences or is he fond of long-winding sentences? Does the whole document read as if it were written by the same person? A shift in style may indicate that some part was copied from another document. Finally, have a look at the format: font, size, line spacing, alignment. After marking all documents according to the above points, it’s time to spread them out and get a birds-eye view of all of them. Sometimes, this will reveal more similarities or conspicuous features shared by multiple documents.

Now, for the most important aspect: Assume your adversary, the author, is well aware of his distinct mistakes and style of writing! He might try to deceive us. Changing the usual format, by using odd fonts or changing the alignment are easy to recognize, but sometimes an author will substitute some of his unique identifiers with another. Mostly by doing the exact opposite of what his style of writing is usually known for. Someone that uses long and complex sentences might break these down into short and concise sentences, making the letter look more like an old telegram. Obvious spelling mistakes might be implemented as well, to put us on the wrong track. However, anything that is deliberately done will likely follow a certain pattern. It is our job to identify this pattern.

Of course, there is much more that can be done when handling cases like these. Analyzing handwriting by overlaying different sets of handwritten words on each other is one technique that might help. This works really well in MS Office, since the office suite has some pretty impressive features to handle images. Furthermore, fingerprint identification (dactyloscopy), analyzing the paper, trying to trace back emails; a broad variety of methods can be applied here. Maybe even the graphologist, if you’re that desperate. As with all intelligence analysis, it is important to never fully rely on just one method. Combine what you have at hand to achieve the best result.

After this brief introduction to the topic of forensic linguistics, I will prepare an example for a future article, highlighting the aforementioned. I just have to figure out who I want to blackmail or send a poison pen letter to. Maybe one of the scammers from a previous project.

MW-OSINT / 01.10.2019

OSINT Key Findings in the Year 2009

Syria, nonproliferation sanctions, OSINT, Google Dorks and SIGINT. In 2009, these all came together in an interesting investigation.

Earlier this year, I wrote an article about my opinion on the future of OSINT and while doing so, I had to think about how OSINT looked in the past and how it has evolved over the years. Gathering and analyzing information, not only through OSINT, has always been my passion and I’ve been doing this for about 20 years now. Just like the recent project with Sector035, where we unraveled a massive scam network, I have often conducted research on specific topics purely out of curiosity. These side projects were never work related, but the skills I then learned were eventually useful throughout my career. Often, reading a simple news article would send me down a rabbit hole. From looking up related news articles to spending hours on Wikipedia to creating link charts, largescale investigations were always only a mouse-click away.

I just recently recalled a project I worked on in early 2009. It all started with me looking into various nonproliferation sanctions lists. I think it was a news article that sparked my interest. These sanctions were and are imposed on countries that have been accused of trying to procure and/or produce weapons of mass destruction, e.g. nuclear, chemical or biological weapons. I started looking into government and non-government entities from Syria on those lists. Remember, this was back in 2009. There weren’t really many sophisticated OSINT tools back then, so most findings resulted from simple Google queries.

One of the entities I looked at was the Mechanical Construction Factory. Googling this led to millions of results, so I narrowed it down by adding quotation marks: “Mechanical Construction Factory”. My next step was looking for this search term in specific filetypes. PDF or Powerpoint documents have the tendency to contain more relevant information than your average webpage. Adding the filetype-operator in Google led to some rather interesting results.

For example, the Greek Exporters Association (SEVE) posted monthly spreadsheets of tenders originating from Syria. These lists contained information on who requested the offer (including addresses, phone numbers and email-addresses), as well as goods they were seeking to acquire.

In order to find all tender spreadsheets on this page, I again used Google dorks. Combining the site-operator with the filetype-operator brought up all the PDFs saved in the 2008 directory. Since I only wanted to look at the PDFs for Syria, I used Google Translate to obtain the Greek spelling of Syria, as each spreadsheet had this somewhere in the document. The final query looked like this:

I now had a long list of Syrian companies that had requested to purchase goods from Greece. Not only that, multiple companies used the same phone numbers, so I could assume that they were linked to each other in some way. I recall finding one or two companies that were linked to a sanctioned company by a phone number and that weren’t listed themselves.

Playing around with Google dorks had me find plenty of interesting material to go through. While I can still reproduce the example mentioned above (just try it yourself), the most interesting finding in this case is unfortunately lost.

Back then, Turkey had a government organization named “Undersecretariat for Defence Industries”. The Turkish abbreviation of this was SSM. The SSM-website doesn’t exist anymore, as the organization was renamed and restructured in 2018 (as SSB). This organization posted roughly 150 scanned original tenders from Syria on their website. While not directly accessible through a dedicated page, using the Google dorks had them appear in my queries. These documents contained phone numbers, addresses, signatures and seals that were stamped on the paper. Apparently, they were sent to Turkey in hardcopy or scanned and then sent electronically.

Keep in mind, I did all this at home. This was my hobby and not related to my actual line of work. I was a SIGINTer, not an OSINTer at work, tasked with a completely different area of operations. However, these original documents seemed like something my colleagues working on Syria would also be interested in. I took an example of one of the tender documents to work one day and showed it to the guys at the Syria desk. They could not believe that I had just found this online. Some of them where even convinced that I had access to their data and pulled it from there. I ended up directing them to all the documents I had discovered on the aforementioned Turkish site and they proved to compliment the knowledge the Syria desk already had.

While writing this article, I tried to find the those documents using the Wayback Machine, but as I previously mentioned they weren’t actually located on a site that could be easily accessed. So, they unfortunately weren’t archived. I went through the complete site map in the Wayback Machine with no luck. For those of you who don’t know this function, try it out. It is great to get an overview of the structure of a historic webpage.

In 2009, many people underestimated the power of OSINT. In 2019, I don’t think many people will make that mistake again. No fancy tools were needed back then, just some Google dorks and perseverance to manually go through hundreds of PDFs. Although things have changed in the OSINT world and continue to change as we move along, I am sure there is still plenty of juicy information that can be found on the internet by just mastering the use of Google operators. Happy hunting, fellow OSINTers!

MW-OSINT / 27.09.2019

Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.

Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.

Tapping ‘find contacts’ will show the amount of phone numbers that are linked to TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.

If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.

There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!

Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

MW-OSINT / 13.09.2019

Unravelling the Norton Scam

It all starts with a bad sock puppet

If you have problems with Norton 360 or Norton Antivirus, please do not call +1-844-947-4746. You might end up with malware on your computer.

Do you have a look at the accounts that connect with you on Twitter or Medium? I do, and so does my buddy Sector035. In late April 2019, a new person followed Sector’s blog on Medium and he had a look at this new follower.

A weird URL? A nice picture of a female named Pierre? This profile was begging for further research. The URL led to a tech-support site that listed the following phone number: +1-844-947-4746. Sector didn’t even wait to check this number on his computer and immediately googled it on his cell phone. I guess that’s what you call OSINT curious.

It turns out that this phone number was listed on numerous obviously fake sites and blog posts offering tech-support. Out of curiosity, we decided to take a closer look at some of the sites, in order to see how they were connected to each other and possibly find out who was responsible for creating them. At the time we had no idea how time consuming and big this project would be! Among the sites using the phone number, we initially concentrated on these four:

Each site looked worse than the other. Horrible design, bad English and next to the aforementioned phone number, they all used the same address:

While Sector started to check the WHOIS information using DomainBigData, GoDaddy and Whoxy, I looked into to Google Street View and did a little reverse image searching on the photos. It turns out that all the photos used were either stock pictures or stolen off other people’s social media profiles and the address itself was in an inconspicuous housing area. Googling the address led us to more suspicious sites, some of them using a different phone number. Among these was one belonging to a company allegedly called Energetics Squad LLC. No records existed for such a company in the State of Illinois, nor in any other state. Keep this company in mind, as it will show up in a later blog post as well!

The WHOIS check didn’t always provide the exact name of the registrant, but we found another similarity: most of the websites had been registered around March 13-14, 2019 in India.

Using DNSLytics, Sector also checked the Google Analytics ID and found that the sites were not only linked by all of what was described above, they also shared a common tracking code (UA-code). At this point, it was time to start linking the information in Maltego.

What started with a bad sock puppet, led to googling information and from there to a deep dive into domain data, Google Analytics research, as well as pulling corporate records from official state registries. The hunt was on and upon finding all this correlating data, we couldn’t just let go and decided to push forward.

The Art of OSINT

Art is often considered the process or product of deliberately arranging elements in a way that appeals to the senses or emotions. OSINT is art and sometimes OSINT produces art.

This is big! We collected information on hundreds of different entities; including websites, names, phone numbers, email addresses and much more. When we started, relevant data was just dumped into a text file. To give you an overview of how much we collected and how much time and effort we spent on this project, Sector put together a little infographic.

We also used Hunchly during our collection and then realized we needed to structure the most important data and moved on to a spreadsheet. This worked for a while, until we felt the need to display links between entities in an easy and understandable way. A more visual approach was chosen, and Sector started what I call “The Art of OSINT”: a link chart.

Sector used Maltego for our case, but there are many alternatives you can use as well. I have grown fond of draw.io and others might use one of the various mind mapping apps and platforms. The idea behind link analysis in general is to evaluate relations and connections between entities. Link charts are the visualization of this data, which in many cases make it easier for an analyst to discover connections. Sometimes the connections are not direct, but indirect, linking entities to each other by a third-party individual.

Let us take a look at how link charts can be built from scratch. I previously mentioned a screenshot of one of the scam sites.

This site already has multiple pieces of information that can be connected. A name, a postal address, a phone number and lastly an email address. Each of these is the starting point for further OSINT investigtions. We found that the email address was used to register the domain allbagmanufacturing(dot)com. This domain also lists an Indian phone number in the WHOIS data.

It turns out, that the Indian phone number was also used to register the site roadrunneremailsupports(dot)com.

In conclusion, both sites are likely connected. However, how do we know that this phone isn’t just a burner phone or a random phone number? More OSINT research is required to verify if the phone number is existent and who it belongs to. I also mentioned a little social engineering coming up, didn’t I? If you were hoping to read about this topic now, I have to disappoint you. Rest assured, we have a nice story on social engineering later on. Now, let’s get back to our link analysis.

One piece of information leads to another and soon we find new leads and many connections between the entities. The chart itself has grown quite a bit in the meantime. At first glance, it will seem a bit chaotic. However, it is still easier to handle than relaying this information in a text-based form. For me, link charts have an artistic character. Each chart, whether built manually or automated, is one of a kind. Unique data, unique arrangements, all coming together to form a piece of modern art.

Put this on a large canvas, have Sector sign it and it would be something that could be found in the Guggenheim Museum of Modern Art. One day I plan to do exactly that. A vernissage on “The Art of OSINT”. Until then, let’s keep creating more masterpieces with our online investigations and link charts.

What’s the big deal? And who’s to blame?

Not all information can be found using OSINT. Sometimes a little social engineering can be useful.

We warned you not to call a certain phone number linked to multiple scam sites. So, what exactly happens if you call +1-844-947-4746? Although it was obvious that the sites we were looking at and this phone number were involved in some kind of scam, I was curious to see what the exact business model was. Before making the call, I googled a bit and found out that the number was toll-free in the US. After topping one of my burner phones, I dialed the number.

It rang shortly and a gentleman with an Indian accent answered and asked which kind of assistance I required. I explained that I had problems with Norton 360. I couldn’t activate it. The gentleman wanted my name and my phone number, upon which I provided him with some bogus data. At first, he asked if I was able to install software, as he wanted to use Supremo to check my computer. Playing dumb, I just told him that I didn’t understand what he wanted me to do and that I have never personally installed anything on this computer. My son always did all the IT-stuff for me.

Next up, he mentioned two URLs that I should try to visit: helpme(dot)net and 1234computer(dot)com. It turns out that both sites were also meant to give him remote access to my computer.

This is where another important lesson in OSINT (and life) can be learned: Proper preparation prevents poor performance! I had not expected this and therefore hadn’t set up a clean Windows VM to play around with. Sadly, I had to find an excuse why I couldn’t access the URLs he had cited. I promised to call back, but never managed to get through again. From there on, the number only redirected me to voicemail. Funny enough, the mailbox mentions a typical American name as the owner. Maybe this could be useful in the future.

In any case, it was clear how the scam worked. Unsuspecting, non-tech-savvy users would call the hotline and give the scammers remote access to their computers. From there on, the possibilities to do harm are countless. Ever since then, I have always made sure to have a clean Windows VM that I can use in such cases.

Since we now had an idea what the scam was about, we decided to push forward with our investigations. Sector found a phone number associated with the site energeticsquad(dot)com. This site belonged to an IT-company named Energetic Squad LLC in Illinois, which coincidentally was also located at the address we had already seen on multiple scamming sites. The number found by Sector was an Indian mobile and I decided to get in touch with this person to find out if he or she was in any way related to the aforementioned website or any of the other scam sites. I noticed that it was registered in WhatsApp, so I decided to have a little chat. Of course, I used a burner phone for this; to be more precise, I was running WhatsApp in an Android VM on my computer.

What struck me here, is that I was indeed on the right track. I never said that the company was a LLC, yet it was immediately mentioned by the person I was texting with. By this, the owner of the Illinois company offering local tech-support was using an Indian phone number. He wasn’t keen on giving me his name, but his reactions showed that me that the name I had was also likely correct. At least he didn’t deny it.

I offered to buy his domain and we went back and forth regarding the price. I was pushing hard, something I usually wouldn’t do in a real case, and soon he asked if I could come to the US for further negotiations. I assume he was just trying to put me off track and distracting from the fact that he was actually located in India. His English also wasn’t what I would expect from a native speaker. Of course, I was able to travel to the US and at this point he decided to end the conversation.

Being blocked by a scammer, because he accuses you of being a scammer. Now there’s a pot calling the kettle black! Of course, I burned bridges here and wasn’t able to reestablish contact after this. However, we did learn that the Indian mobile phone number was in fact connected to the website and the company. Also, we had likely found an actual name. Later on, we found out that the company Energetic Squad LLC had been registered in Illinois in the meantime, and that the name of their manager was the same name that is being used on the fake tech support voicemail. Everything and everyone is linked!

There were several other suspects which we had also contacted, and almost everyone acted as suspicious as the person I wanted to buy the domain from. In any case, these conversations gave us many new leads to follow up on and had us pivot toward social media profiles. Maybe these will provide some insight on the scam network.

The more, the better

What are backlinks and how are they used in the Norton scam? Our OSINT investigations lead us into the world of SEO.

The project started with a fake profile on Medium, which led us to several scam websites claiming to provide tech support. While the total number of these sites hasn’t risen much over the past months, entries promoting this scam on blogs, social media profiles and in comments on other websites have drastically risen. We see this as a crude search engine optimization (SEO) attempt.

Throughout the investigations we found individuals specializing in SEO, who where also likely linked to the network we were tracking. One of the sites that popped up in our search was yahoophonesupports(dot)com. Unlike previous fake sites that used Indian addresses and fake English-named personas, such as Nancy Wilson or Steven Dalton, this one was registered by someone named Jiya with a real looking email address. We had narrowed down our search to the city of Noida in India and the phone number used to register the site was definitely linked to our scam network. While most names used to register domains clearly came from fictitious peoples, maybe this was one was real.

Searching for the name on Google led to a result that fits the picture: Jiya from Noida offering SEO services.

Jiya mentions backlinks and blogger outreach, something we have seen in our scam as well. Let me explain the concept of backlinks, also known as inbound links. A backlink is a link on page A referring to page B. Most search engines interpret backlinks as votes on the popularity of a website. So, the more backlinks that lead to page B, the more popular this page seems and thus it will be rated higher in search results. The easiest way to create cheap backlinks is using free blogs, for example Medium. Googling the phone number used in this scam, we come up with over 1.000 Medium posts and sites, each also containing the link to one of the fake support sites, such as nortonhelpus(dot)com.

We are not only seeing this on Medium, but across many platforms. The amount of backlinks created clearly indicates that we are dealing with a large team of people, as this is probably not possible by one person or a small team alone. The number of search results for the phone number shown above has risen from 4,000 in May to about 21,000 this week and is still rising!

Of course, most posts come from obvious sock puppets, created with fake names and stolen profile pictures. Here’s Brad Pitt, alias James Rocky, offering tech support.

Once these sites are set up, clicking on the links can be automated, so that the target website (in this case all-emailsupport(dot)com) receives traffic, basically boosting its search index rating. The scam network is not expecting to generate any phone calls or support requests from these obviously fake Medium sites, these are just used in the SEO process for the actual scam site. We have been seeing these SEO-enablers on Twitter, Issuu and basically any platform that allows you to post information “quick and dirty”.

During our project we also looked at Google Trends, to figure out where the main targets of this scam were likely located. Obviously in the US, as the main tech support phone numbers were US toll-free numbers. However, we also noticed a British phone number. Google Trends allows you to look up search terms and see the interest over time and the region of interest for that specific search term. We were curious to see if any notable searches on one of the scam topics was googled in the UK often. We checked “activate Norton”, since this was one of the main services the scam network was allegedly offering: activating an expired Norton account.

Sure enough, the main regions that googled this term were the US and India. The US is obvious. This is the market the scammers are targeting. But why does India rank higher? One explanation could be testing the search term during the SEO-process. Coincidently, some of the peaks in the interest over time relate to time periods in which new fake sites were created. No notable searches were seen coming from the UK.

As mentioned before, most of the bogus blog posts were created really sloppy, as their sole purpose was to generate backlinks. We also found several sites linked to this scam that were apparently selling software. A lot of these sites were created using predefined templates, in some cases showing the shipping time or the general location on a map.

Apparently, the creator of this site had his location (likely based on a geolocation through Google) automatically added and didn’t bother to change it before putting the site online. In any case, he achieved his goal: A backlink to a scam site.

Now that we’ve learned how this scam uses SEO to promote their wrongdoings, is there anything that can be done to effectively tamper this scam network? How about Google, Bing, Yahoo and other major search engines take any site off their listing that features “+1-844-947-4746”. Except ours, we’re the good guys!

Mistakes on social media

Never be too careless with what you post on social media. It might come back to haunt you one day and in the case of our investigations it sure led to some key findings on the scam network!

The ultimate goal of our investigation was to find the people behind the scam. We had found fake personas and most of the WHOIS data was misleading as well. Of all the people we came across, there was still a reasonable amount of doubt that they were actually involved in the scam, or we couldn’t reveal their true identities for sure. In our hunt for the truth we also turned to social media, hoping to find someone connected to our case.

As previously mentioned, most names used to register websites were clearly fake. Nancy Wilson and Steve Dalton were among the favorites. However, we did notice that the majority of sites had Indian addresses in the WHOIS data. In particular, two addresses reoccurred often: one in Noida and one in Gurgaon (also known as Gurugram). We decided to find Facebook profiles that had visited both cities and that were also linked to East Peoria, the city in Illinois that the scammers posted on their websites. Maybe someone was careless enough and had checked into all three places. Of course, this was done a while back when the Facebook graph search was still working.

Jackpot! While we hadn’t expected to find anything on this wild query, one Facebook profile matched our search. This person, named Baljeet, was a very active social media user and constantly checked into places on Facebook. Among these check-ins were Noida, Gurgaon and East Peoria.

Intelligence collection always feeds on mistakes your adversaries or intelligence targets make, and Baljeet committed a major blunder here. Soon after, we found ourselves digging into Baljeet’s profile. It turns out, that he had frequently visited locations (marked in blue) in the vicinity of the office building (marked in red) which was found in the WHOIS data of the scam sites and in which we suspected the team of developers behind these sites to be located.

At the same time, we discovered that Baljeet registered a website with his full name and actual email address, which we had found in his Twitter timeline. This website was providing web design services to customers in the US. And guess what? The site was using the same address in East Peoria and also the same phone number as the scam sites! I decided to have a little chat with Baljeet on Facebook to confront him with this information.

The conversation went on for a while and Baljeet kept coming up with excuses and dodgy information on why his website was using the same address and phone number as the scam sites. After our talks, he actually took down both for a while, but the address is back on the website today. To us it is clear: Baljeet is definitely involved in this scam. You don’t just sit in India and coincidently use the same address (in the middle of nowhere) and phone number as multiple scam sites on your own site. You don’t just coincidently happen to work in vicinity of addresses we have attributed to the scam sites.

While looking into other social media profiles used by Baljeet, we came across other indicators that fit the overall picture. A couple days ago, he proudly posted the following on Twitter: A certificate of an advanced Google Analytics course (my browser was set to German when I opened the link).

As you can see, the information we won from social media research led to us a prime suspect in our case. Not only did we have a real name now, we also had a unique username, a pattern of life and enough information to verify his involvement in our scam.

Our social media research also led to many more key findings. One of the phone numbers we found in the scam sites’ WHOIS data was also posting job advertisements on Facebook.

A call center agent providing support to activate Norton? That’s exactly how our hunt started. Looks like it is all coming together! The information we gathered throughout our social media research was invaluable and had us dig even deeper into WHOIS data and source code from the scam websites, leading to unravelling the whole network behind it.

Tracing ownership

All roads lead to Rome. Or in our case to the Indian city of Noida and a certain phone number we found when we used Google Drive API and RiskIQ to generate more leads in our investigations of the Norton scam.

Above, we have shown you how we identified a possible scammer, visualized connections, contacted scammers and how they are using SEO to boost the ranking of their websites within search results. Here, we explain how we used several tools and techniques to connect the different domains and information, ultimately leading to a single person that sits in the middle of the web like a spider. Is it Baljeet, who was mentioned in the previously? Or are there more people working on this scam?

To answer that question, we went back to the beginning of our investigations and revisited the URL where it all started, the “nortonhelpus[dot]com” site. The website is not just a page that displays the scam phone number, it also contains a link that leads to a subdomain: “activate.nortonhelpus[dot]com”. Here we found two separate links to Norton software placed on a Google Drive.

The person uploadeding this was apparently “Nancy Wilson”, coincidentally the same name as the person who registered the domain name “nortonhelpus[dot]com”. With a common name like this, there wasn’t a lot we could do. We needed to find out what email address was connected to the Google account used, and who was in control of it.

The email within the Whois information for “nortonhelpus[dot]com” was “nw815624@gmail.com”, and to see whether this was the same email address used to upload the files, we had to find out who the actual owner of the Google Drive was. There are two ways of retrieving that kind of information. The first one involves using Firefox and opening up the Developer mode by pressing F12 after loading the page and then clicking on the Inspector. We searched for “@gmail.com” and were presented with a few options. While going over these options, we found the email address of the user hidden somewhere in the source code of the page.

If the owner’s email address cannot be found in the source code of the site, there is another way to move forward: the official Google Drive API. While using the older v2 version instead of the newer and currently active API v3, we were be able to retrieve information on the owner of said Google Drive, including an email address. The specific endpoint we needed to query was “drive.files.get”. After creating a developer account and a temporary project, and by using the online test form (https://developers.google.com/apis-explorer/#p/drive/v2/drive.files.get), we were able to query the endpoint and retrieve all the metadata of the uploaded files. The email address of “Nancy Wilson”, who we know is a fake persona.

Using the following command on the Google drive we were investigating, it pulls the results shown below.

Command: GET https://www.googleapis.com/drive/v2/files/1RCDQWugm5km0fDufLx60kUL_iPu5qj_L?key={YOUR_API_KEY}

Result:

Finding the email address “nancywilson962@gmail.com” gave us a new entry to start searching online for any information that could lead to the person behind the website. For this we turned to RiskIQ, where we used the PassiveTotal platform to query their massive data set of historical Whois information. Within RiskIQ you have the option to search on domain names, but also on email addresses or phone numbers that are inside the Whois registration information, which makes it extremely suitable to trace scammers via domain registration. When searching for the email address we sadly found out that only one domain was registered, the domain “amazing-wash[dot]com”. It appeared to be registered in India by a person called “Ramesh Kumar”, according to the Whois information he was living in Noida and with all this information we found a new phone number.

Though we hoped to find more domain names with our initial query, we simply pivoted on this phone number within RiskIQ for more mentions of it. And that is when we hit the jackpot.

There were more than a dozen domains connected to this single phone number. Even though we already found multiple domain names by searching for websites mentioning the phone number +1-844-947-4746 or using the address in East Peoria, all this information was connected via Whois information through a single phone number that had direct leads to the person placing the files on Google Drive. It was time to pivot again, this time on each and every phone number and email address that we found in the Whois information of all the domains. Upon finding new information, we retrieved related new domains too and so on and so forth. By using RiskIQ, manual Whois queries and going over the content of the websites, we were massively expanding the list of entities in our investigation. Starting with about 100 entities after our initial Google searches and manual labor, to well over 200 items by using the information within RiskIQ! This is how we ended up with a very large cluster of websites, fake aliases and email addresses, a bunch of new phone numbers, all circling around a person called “Ramesh Kumar”. The person with the phone number that connects more than 75% of all the collected data in this investigation in a direct or indirect way.

Of course, we couldn’t resist and tried to call Ramesh on the phone number we had discovered. After these calls, everything made total sense and we pretty much figured out how this whole network of scammers works.

Putting the pieces together

Gotcha! We found out who is responsible for this massive scam. Using OSINT and social engineering we tracked down the company behind the Norton Scam.

Time to finally unravel the Norton scam. Sector and I have decided to conclude our investigations and put the pieces together, after spending countless hours working on this case. Every time we thought we had figured it out, new information was found, taking us down another rabbit hole. Sometimes we spent days following a lead, just to find out that it wasn’t related to our case at all. As with most investigations, we were not able to solve all mysteries, but we are pretty sure we identified the company and some individuals behind this massive scam scheme.

We pointed out how everything led to specific Indian phone number (+91.9540878969). This number was used to register many of the domains we were looking into. Once more, I decided to make some phone calls to India. I found out that the number belongs to a web design office. The first four phone calls were answered by different men who did not understand English, so they hung up on me. My fifth phone call was more successful. I got a hold of a woman named Priya and told her that a friend of mine had recommend them and that I was looking to have a website set up for me. I had called the right place and I would need to speak to her boss, Priya explained. I also mentioned that the site was to be used as a scam site to obtain credit card data. This too was possible according to Priya. Soon afterwards I had a conversation with the boss, who remained nameless. If I was willing to pay roughly 150$ on PayPal, they would set up the site I needed. With these phone calls, we have proven that the web design office was responsible for setting up the type of scam sites that we have seen throughout our investigations.

During our research, we also came across a site which offered web design services to US customers and to which we had actually found legit websites they had created. This is something very common: using a US frontend to sell IT-services that are performed in India. So, not everything the team did was illegal or scam-related.

In order to promote the scam sites, another team was responsible for search engine optimization (SEO). The SEO team was most likely also located in the offices of the web design team, probably under the same leadership. Their job is to flood the internet with backlinks in order to promote the scam sites. So far, we have found more than 20,000 entries for this cause. From Facebook posts, to Medium blogs, to comments on non-related webpages; a large variety of backlinks were created in the past year.

The purpose of the scam is have the victims call one of the tech support phone numbers. Thus, a team of call center agents is required. Remember how the scam works? If an unsuspecting victim calls the number, they provide ‘assistance’ by obtaining remote access to the victim’s computer. In some cases malware is installed, in other cases they ask for credit card data in order to bill the customers for their service.

These call center agents were hired by a company named 4compserv, which is located at an address that was also used to register some of the identified scam domains. We suspect this is root of all evil, the company behind the scheme. Or at least some employees of the company, since we have also found evidence of 4compserv conducts legal business as well.

More evidence came up, which proves that the web design office and the call center are definitely related. Shortly after I had spoken to the boss of the web design office, I received a phone call from the number linked to the call center (+91.97117613). Unfortunately, I missed the call and haven’t been able to reach them ever since. Furthermore, one of the scammers I had personally texted with recently updated the CV on his website. Have a look at his current jobs:

While there are still some questions to be answered, our research has enabled us to have an overall understanding of the network and the techniques used to run their scam, as well as identifying the company most likely behind this scam: 4compserv in Noida, India.

Along the way, we would often stumble upon funny facts. Some of the scam developers were just so sanguine, they didn’t want to obscure their tracks. Such as the preferred use of the name ‘Nancy Wilson’ to register domains or create sock puppets. The original websites the scammers had set up were very crude, now it seems they are using nice looking WordPress templates, including chatbots. Usually, the chatbot would ask for a phone number, so the scammers can call back. And guess who you would be chatting with on all of these sites? Good ol’ Nancy!

We’re done! We managed to find the perpetrators behind all this. What started with a sock puppet on Medium led to unravelling a largescale scam network, targeting unsuspecting victims seeking tech support. We hope that our project may help counter the threat originating from this specific scam and raise awareness for similar schemes. Also, thanks to many of our readers for sharing the posts from this series on Twitter and LinkedIn, ultimately ranking the articles higher and higher on Google. Using OSINT and social engineering to enable counter-SEO against the scammer’s massive SEO effort!

Now it’s time to relax a bit…before we start the next awesome project!

Sector035/MW-OSINT – 28.08.2019

We explicitly decided to keep the disclosure of personal information on the investigated individuals to a minimum in these blog posts. However, the complete information gathered is available to law enforcement and/or the companies targeted by this scam upon request.

Unravelling the Norton Scam – Final Chapter

Gotcha! We found out who is responsible for this massive scam. Using OSINT and social engineering we tracked down the company behind the Norton Scam.

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Chapter 5 – Mistakes on social media

Chapter 6 – Tracing ownership

Final Chapter – Putting the pieces together

In the last chapter, we pointed out how everything led to specific Indian phone number (+91.9540878969). This number was used to register many of the domains we were looking into. Once more, I decided to make some phone calls to India. I found out that the number belongs to a web design office. The first four phone calls were answered by different men who did not understand English, so they hung up on me. My fifth phone call was more successful. I got a hold of a woman named Priya and told her that a friend of mine had recommend them and that I was looking to have a website set up for me. I had called the right place and I would need to speak to her boss, Priya explained. I also mentioned that the site was to be used as a scam site to obtain credit card data. This too was possible according to Priya. Soon afterwards I had a conversation with the boss, who remained nameless. If I was willing to pay roughly 150$ on PayPal, they would set up the site I needed. With these phone calls, we have proven that the web design office was responsible for setting up the type of scam sites that we have seen throughout our investigations.

As mentioned in chapter 3, the purpose of the scam is have the victims call one of the tech support phone numbers. Thus, a team of call center agents is required. Remember how the scam works? If an unsuspecting victim calls the number, they provide ‘assistance’ by obtaining remote access to the victim’s computer. In some cases malware is installed, in other cases they ask for credit card data in order to bill the customers for their service.

We’re done! We managed to find the perpetrators behind all this. What started with a sock puppet on Medium led to unravelling a largescale scam network, targeting unsuspecting victims seeking tech support. We hope that our project may help counter the threat originating from this specific scam and raise awareness for similar schemes. Also, thanks to many of our readers for sharing the posts from this series on Twitter and LinkedIn, ultimetely ranking the articles higher and higher on Google. Using OSINT and social engineering to enable counter-SEO against the scammer’s massive SEO effort!

Now it’s time to relax a bit…before we start the next awesome project!

Sector035/MW-OSINT – 25.08.2019

Unravelling the Norton Scam – Chapter 6

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Chapter 5 – Mistakes on social media

Chapter 6 – Tracing ownership

In the previous articles we have shown you how we identified a possible scammer, visualized connections, contacted scammers and how they are using SEO to boost the ranking of their websites within search results. In this article, we explain how we used several tools and techniques to connect the different domains and information, ultimately leading to a single person that sits in the middle of the web like a spider. Is it Baljeet, who was mentioned in the previous chapter? Or are there more people working on this scam?

img1-download

img1b-name

img2-sourcecode

Using the following command on the Google drive we were investigating, it pulls the results shown below.

Command: GET https://www.googleapis.com/drive/v2/files/1RCDQWugm5km0fDufLx60kUL_iPu5qj_L?key={YOUR_API_KEY}

Result:

Though we hoped to find more domain names with our initial query, we simply pivoted on this phone number within RiskIQ for more mentions of it. And that is when we hit the jackpot.

img4-919540878969

Sector035/MW-OSINT – 18.08.2019