Communications Security on Iron March – An Intelligence Analysis

How do right-wing extremists secure their communications? The recent Iron March data leak gives insight into how its members tried to communicate outside the message board.

The recent leakage of a massive white supremacist message board named Iron March  sparked a wave of independent investigations by people all of over the world. The data contained in this leak provides many leads to practice OSINT skills in various disciplines. Whether it is googling usernames, correlating email addresses to social media profiles or looking up information on some of the domains shared on this message board; the breached data is a starting point for a plethora of different OSINT methods. Of course, I couldn’t resist and also took a dive into this leak as well! I decided to have a look at the content that was posted on Iron March. Not so much OSINT here, it is more general intelligence analysis I will be applying. One of the challenges was actually defining a clear goal. What did I want to unravel here? Did I want to reconstruct organizational structures? Did I want to investigate individuals and their backgrounds? Did I want to look at certain events?

Without narrowly defined intelligence requirements and thus key intelligence questions that should be answered, approaching such a big amount of data in a methodological way is nearly impossible. After reading the first couple of Iron March messages, I realized that the users often discussed others means of communication outside of the message board. So, I decided that my first goal would be to analyze the communications, security measures and the evolution of communications within this network. Having a better understanding of this topic will surely help the OSINT community to understand where to look for further information during this investigation.

When Iron March was set up, many users migrated from a previous platform called ITPF. Background information on both platforms can be found here. The first posts on Iron March clearly showed, that the users would regularly communicate outside of the message board as well. Among the these outside channels were mainly Skype, MSN, AIM and Facebook.

“You should download Skype it is a good service. Also you can use it just like MSN; you can type, I type most of the time.” Post on 23.09.2011 by Kacen (ID2)

“Not sure if you’re interested but I thought I’d ask, I’m launching a study group for American Fascism/Nationalism quite soon via facebook.” Post on 24.11.2011 by American_Blackshirt (ID35)

Eventually, members of Iron March even set up Skype groups to ensure communications. This enabled them to communicate directly with each other without delay, as it would have been on Iron March. At the time, Skype appeared secure to the members of the message board and was soon the preferred outside communication channel. Occasionally, other channels would also be used to communicate, sometimes even including gaming platforms.

“We have a good number of people in the Skype group and you should join.” Post on 25.01.2011 by Blood and Iron (ID3)

“do you have facebook, or steam, bf3 battlelog or something where us 2 can converse?” Post on 02.07.2012 by unkown

 The main reason people would use external messengers to communicate, was that they were more practical than using Iron March’s private messaging system. To gain access to Iron March PMs, the site had to be open in the browser. MSN and other messengers were client-based and could run in the background, immediately informing users of incoming messages. By late 2012, AIM and MSN were also still used frequently, something that would soon change after Microsoft discontinued MSN as a service in 2013.

“Hobbit, do you have MSN? A lot more practical than talking through PMs.” Post on 27.06.2012 by Damnatio Memoriae (ID279)

“Alright, I’ll get back to you again tomorrow, with my AIM, MSN, and SKYPE info.“ Post on 10.10.2012 by social_justice (ID17)

As early as mid 2012, many users were slowly turning away from Facebook, stating privacy issues as their main reason.

“I don’t use facebook anymore, it gives too much information away even if you use a proxy and false information, it’s an easy way to keep a “paper trail” on someone, so to speak.” Post on 03.07.2012 by Nebuchadnezzar II (ID288)

The use of external channels remained mostly unchanged until 2015, when new messaging and chat services started to appear on Iron March. Telegram and Tox were among the most popular services and were viewed as more secure than Skype. This also led to the exchange of Tox IDs, so the members could identify each other on the chat application.

“I need to get in contact with you. Download Tox and make an account with a secure login.” Post on 08.08.2015 by Fascism=Fun (ID7962)

“Another thing I wanna recommend is to use Telegram or Tox instead of Skype for organisational procedures and meetings. These are really good ways of communicating, and I know of three NatSoc and Fascist organisations within the U.S that use these services because of their security.” Post on 05.02.2016 by TheWeissewolfe (ID9304)

The post above is actually from the deputy leader of the infamous Atomwaffen Division. Whenever someone was interested in joining this organization, they were told to use Tox or Telegram for further communications. However, there was still a reasonable amount of doubt regarding the security of these new communication channels. Discussions about adding an extra layer of encryption ensued.

“Yeah I’m well aware the skype is compromised. Literally everything Microsoft is and has been for over a decade. Tox isn’t but it’s a WIP. Discord I don’t know much about but no doubt it is too. Secure channels aren’t really possible without doing your own encryption.” Post on 21.05.2016 by Xav (ID9476)

While most members of Iron March were very naïve in terms of operational security or communications security, some members had a fairly good understanding of the risks in open communications. One of these members was Atlas (ID9174), who claimed to be responsible for network and computer security for the British group National Action.

“Hi, I’m in charge of computer and online network security with National Action.” Post on 23.08.2015 by Atlas (ID9174)

Atlas often provided guidance on the use of secure emails and encryption with PGP. Overall, members were made aware not to use Hushmail and to rely on Protonmail or Tutonota instead. When sending emails to other providers they were to use PGP. He even wrote a PGP guide for National Action and distributed it on Iron March as well.

“Good job I just designed a PGP guide for National Action then, I’ll email you it, what’s your email?” Post on 01.09.2015 by Atlas (ID9174)

Other activities included checking the security of hosting servers. One of the most interesting conversations I have found in this dump so far was between Atlas and the founder and leader of the Atomwaffen Division, Odin. In September 2015, Odin reached out to Atlas regarding issues with PGP.

“Hello comrade I need to have my pgp shit setup properly and to be able to use it for communications with certain people before this weekend. I would be very greatful if you could help me.” Post on 14.09.2015 by Odin (ID7600)

Although many security measures were put in place, a lot of members of Iron March still were fairly confident that their activities had not drawn the attention of law enforcement yet. Some even openly expressed their total negligence of security openly on the message board. There was more fear of being doxed by left-wing organizations than becoming a target of police investigations.

“I’m glad you all understood the necessity for security. Here on IM I was shot down for daring to suggest such a necessity on the basis of: We don’t need it, we’re not ISIS. I ripped off all my ideas from some corny website anyway (that website being my blog btw lol).” Post on 04.05.2015 by Atlas (ID9174)

“The use of TOR, fake names, and these secure channels is more of security culture thing – we are not being actively monitored by say, the government (at least that is my personal opinon based on the information I have) but it encourages people to act more sensibly so they don’t get themselves doxed by leftists. I don’t like hearing about workplaces getting phoned up or individuals being exposed in the newspapers. Since the mirror article on my a couple of years ago practically everyone has been able to maintain a degree of anonymity. Obviously if they ever decide to raid anyone they are not going to find anything that can be used to build a case around them.” Post on 10.04.2016 by Daddy Terror (ID7)

Given the fact, that Daddy Terror (ID7) was the leader of the National Action movement in Great Britain, this statement is truly remarkable and shows how safe some of the members of these extremist communities felt in their online communications. Next to the platforms already revealed above, there were several other communications channels that were occasionally mentioned, e.g. Discord and even MySpace in the early days of Iron March. In the end, the use of external secure communications and additional encryption were blasted when the message board itself was hacked in 2017 and the data was recently leaked, exposing the identities and ideas of many members.

Thank god the Iron March admins didn’t have proper security measures in place and hopefully this data leak will help law enforcement worldwide investigate some of the malicious activities planned and discussed on the message board. Until then, I’ll continue to dig into this data, together with other OSINT enthusiasts, and see what stories can be unraveled next.

Matthias Wilson / 09.11.2019

 

The Importance of Grammar in Forensic Linguistics

1

Commas matter and grammar matters. Especially when you deal with threat letters, poison pen letters or even ransom notes. In this case, grammatical errors, misspellings or unique writing styles might reveal the person behind the mischievous texts. Are you dealing with one author or multiple individuals? Can you link these letters to other reference documents, e.g. internal employee emails? The art of analyzing written documents in investigations is a subset of forensic linguistics.

While I won’t go through any real examples in the following article, I would like to share my experience when dealing with such cases. First up, I won’t even try to get into graphology. This is the analysis of handwriting, in an attempt to evaluate personal characteristics or the psychological state of the writer.

Graphologist: “The author is a male and he is very angry, possibly holding a grudge against the recipient.”

Intel analyst: “No shit, sherlock. The handwriting is sloppy and why else would he write a poison pen letter?”

The most important tool for me is a set of highlighters. If dealing with multiple documents, I found it easer to print them out and to mark peculiarities with the highlighters and also add handwritten notes of my own. I use different colors for different categories. One for spelling mistakes, one for grammatical errors, one for the use of uncommon words or unique word-creations and lastly the final color for certain style elements.

Let’s start off with the first category: spelling mistakes. Many people have distinct spelling mistakes they constantly make. And not always will they recognize mistakes when proof-reading their own work. Sometimes these mistakes might also indicate if the author is a native speaker or not. A German writing an English text might automatically use Telefon instead of telephone. Furthermore, many languages capitalize nouns, so look out for this as well. Other spelling mistakes may derive from auto-correct functions in office. When I open Word, it assumes I’ll write in German and does the autocorrect based on the German dictionary. Newer versions of Word notice I’m typing English after about one sentence and then automatically adjust, older versions might need a manual reset. When typing or writing quickly, one may produce clerical errors, such as forgetting letters, adding letters or switching letters. In this case, always check to see how letters are allocated on the keyboard to understand the origin of these typos. Keep in mind that different countries use different keyboard-layouts!

The next one is a bit more tricky. I have to admit, my grammar isn’t the best. I usually just know that something looks weird, without being able to grasp the actual reason or grammar rule. So, in this phase of investigations I often google certain grammar rules to make sure my hunch was right. From simple things such as mixing up your and you’re, to the inproper use of commas, there are many different errors that might show up in multiple documents. One important thing to remember is, that it will be the sum of indicators that lead to successfully solving the case. It most likely won’t just be one blatant error.

Depending on an individual’s background, they may have a different spelling of words. It may vary between British or American English, it may contain colloquial terms or even slang and different dialects. Everything that differs from the standard form of writing in the specific area you are working in, should be marked with a highlighter. Using modern-day slang might indicate a younger person, old-fashioned terms will probably not be used by a kid. I once had a case, in which the author creatively invented new curse words I had never heard of before. Some of them where so hilarious, I actually added them to my personal vocabulary. Another example would be the use of local dialect. In Germany bread rolls are named differently in many regions: Brötchen, Wecken, Semmel, Schrippe, Krossen, Normale, Rundstücke; these are all the same thing! I’m sure similar examples can found in other languages and for more relevant terms as well. Try to figure out which region the word originates from. Again, a little googling can be helpful here.

Next up, concentrate on the style of writing. Is there anything that sticks out? Specific punctuation, such as the frequent use of exclamation marks or multiple dots…. Also, concentrate on the sentence structure. Is the author using short sentences or is he fond of long-winding sentences? Does the whole document read as if it were written by the same person? A shift in style may indicate that some part was copied from another document. Finally, have a look at the format: font, size, line spacing, alignment. After marking all documents according to the above points, it’s time to spread them out and get a birds-eye view of all of them. Sometimes, this will reveal more similarities or conspicuous features shared by multiple documents.

No, for the most important aspect: Assume your adversary, the author, is well aware of his distinct mistakes and style of writing! He might try to deceive us. Chaning the usual format, by using odd fonts or changing the alignment are easy to recognize, but sometimes an author will substitute some of his unique identifiers with another. Mostly by doing the exact opposite of what his style of writing is usually known for. Someone that uses long and complex sentences might break these down into short and concise sentences, making the letter look more like an old telegram. Obvious spelling mistakes might be implemented as well, to put us on the wrong track. However, anything that is deliberately done will likely follow a certain pattern. It is our job to identify this pattern.

Of course, there is much more that can be done when handling cases like these. Analyzing handwriting by overlaying different sets of handwritten words on each other is one technique that might help. This works really well in MS Office, since the office suite has some pretty impressive features to handle images. Furthermore, fingerprint identification (dactyloscopy), analyzing the paper, trying to trace back emails; a broad variety of methods can be applied here. Maybe even the graphologist, if you’re that desperate. As with all intelligence analysis, it is important to never fully rely on just one method. Combine what you have at hand to achieve the best result.

After this brief introduction to the topic of forensic linguistics, I will prepare an example for a future article, highlighting the aforementioned. I just have to figure out who I want to blackmail or send a poison pen letter to. Maybe one of the scammers from a previous project.

Matthias Wilson / 01.10.2019

Unravelling the Norton Scam – Final Chapter

Gotcha! We found out who is responsible for this massive scam. Using OSINT and social engineering we tracked down the company behind the Norton Scam.

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Chapter 5 – Mistakes on social media

Chapter 6 – Tracing ownership

Final Chapter – Putting the pieces together

Time to finally unravel the Norton scam. Sector and I have decided to conclude our investigations and put the pieces together, after spending countless hours working on this case. Every time we thought we had figured it out, new information was found, taking us down another rabbit hole. Sometimes we spent days following a lead, just to find out that it wasn’t related to our case at all. As with most investigations, we were not able to solve all mysteries, but we are pretty sure we identified the company and some individuals behind this massive scam scheme.

In the last chapter, we pointed out how everything led to specific Indian phone number (+91.9540878969). This number was used to register many of the domains we were looking into. Once more, I decided to make some phone calls to India. I found out that the number belongs to a web design office. The first four phone calls were answered by different men who did not understand English, so they hung up on me. My fifth phone call was more successful. I got a hold of a woman named Priya and told her that a friend of mine had recommend them and that I was looking to have a website set up for me. I had called the right place and I would need to speak to her boss, Priya explained. I also mentioned that the site was to be used as a scam site to obtain credit card data. This too was possible according to Priya. Soon afterwards I had a conversation with the boss, who remained nameless. If I was willing to pay roughly 150$ on PayPal, they would set up the site I needed. With these phone calls, we have proven that the web design office was responsible for setting up the type of scam sites that we have seen throughout our investigations.

1

During our research, we also came across a site which offered web design services to US customers and to which we had actually found legit websites they had created. This is something very common: using a US frontend to sell IT-services that are performed in India. So, not everything the team did was illegal or scam-related.

2

In order to promote the scam sites, another team was responsible for search engine optimization (SEO). The SEO team was most likely also located in the offices of the web design team, probably under the same leadership. Their job is to flood the internet with backlinks in order to promote the scam sites. So far, we have found more than 20,000 entries for this cause. From Facebook posts, to Medium blogs, to comments on non-related webpages; a large variety of backlinks were created in the past year.

3.png

As mentioned in chapter 3, the purpose of the scam is have the victims call one of the tech support phone numbers. Thus, a team of call center agents is required. Remember how the scam works? If an unsuspecting victim calls the number, they provide ‘assistance’ by obtaining remote access to the victim’s computer. In some cases malware is installed, in other cases they ask for credit card data in order to bill the customers for their service.

4.png

These call center agents were hired by a company named 4compserv, which is located at an address that was also used to register some of the identified scam domains. We suspect this is root of all evil, the company behind the scheme. Or at least some employees of the company, since we have also found evidence of 4compserv conducts legal business as well.

5.png

More evidence came up, which proves that the web design office and the call center are definitely related. Shortly after I had spoken to the boss of the web design office, I received a phone call from the number linked to the call center (+91.97117613). Unfortunately, I missed the call and haven’t been able to reach them ever since. Furthermore, one of the scammers I had personally texted with recently updated the CV on his website. Have a look at his current jobs:

6.png

While there are still some questions to be answered, our research has enabled us to have an overall understanding of the network and the techniques used to run their scam, as well as identifying the company most likely behind this scam: 4compserv in Noida, India.

7.png

Along the way, we would often stumble upon funny facts. Some of the scam developers were just so sanguine, they didn’t want to obscure their tracks. Such as the preferred use of the name ‘Nancy Wilson’ to register domains or create sock puppets. The original websites the scammers had set up were very crude, now it seems they are using nice looking WordPress templates, including chatbots. Usually, the chatbot would ask for a phone number, so the scammers can call back. And guess who you would be chatting with on all of these sites? Good ol’ Nancy!

8

We’re done! We managed to find the perpetrators behind all this. What started with a sock puppet on Medium led to unravelling a largescale scam network, targeting unsuspecting victims seeking tech support. We hope that our project may help counter the threat originating from this specific scam and raise awareness for similar schemes. Also, thanks to many of our readers for sharing the posts from this series on Twitter and LinkedIn, ultimetely ranking the articles higher and higher on Google. Using OSINT and social engineering to enable counter-SEO against the scammer’s massive SEO effort!

Now it’s time to relax a bit…before we start the next awesome project!

Sector035/Matthias Wilson – 25.08.2019

We explicitly decided to keep the disclosure of personal information on the investigated individuals to a minimum in these blog posts. However, the complete information gathered is available to law enforcement and/or the companies targeted by this scam upon request.

Unravelling the Norton Scam – Chapter 4

What are backlinks and how are they used in the Norton scam? Our OSINT investigations lead us into the world of SEO.

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Our project started with a fake profile on Medium, which led us to several scam websites claiming to provide tech support. While the total number of these sites hasn’t risen much over the past months, entries promoting this scam on blogs, social media profiles and in comments on other websites have drastically risen. We see this as a crude search engine optimization (SEO) attempt.

Throughout the investigations we found individuals specializing in SEO, who where also likely linked to the network we were tracking. One of the sites that popped up in our search was yahoophonesupports(dot)com. Unlike previous fake sites that used Indian addresses and fake English-named personas, such as Nancy Wilson or Steven Dalton, this one was registered by someone named Jiya with a real looking email address. We had narrowed down our search to the city of Noida in India and the phone number used to register the site was definitely linked to our scam network. While most names used to register domains clearly came from fictitious peoples, maybe this was one was real.

1.png

Searching for the name on Google led to a result that fits the picture: Jiya from Noida offering SEO services.

2.png

Jiya mentions backlinks and blogger outreach, something we have seen in our scam as well. Let me explain the concept of backlinks, also known as inbound links. A backlink is a link on page A referring to page B. Most search engines interpret backlinks as votes on the popularity of a website. So, the more backlinks that lead to page B, the more popular this page seems and thus it will be rated higher in search results. The easiest way to create cheap backlinks is using free blogs, for example Medium. Googling the phone number used in this scam, we come up with over 1.000 Medium posts and sites, each also containing the link to one of the fake support sites, such as nortonhelpus(dot)com.

3.png

We are not only seeing this on Medium, but across many platforms. The amount of backlinks created clearly indicates that we are dealing with a large team of people, as this is probably not possible by one person or a small team alone. The number of search results for the phone number shown above has risen from 4,000 in May to about 21,000 this week and is still rising!

Of course, most posts come from obvious sock puppets, created with fake names and stolen profile pictures. Here’s Brad Pitt, alias James Rocky, offering tech support.

4.png

Once these sites are set up, clicking on the links can be automated, so that the target website (in this case all-emailsupport(dot)com) receives traffic, basically boosting its search index rating. The scam network is not expecting to generate any phone calls or support requests from these obviously fake Medium sites, these are just used in the SEO process for the actual scam site. We have been seeing these SEO-enablers on Twitter, Issuu and basically any platform that allows you to post information “quick and dirty”.

During our project we also looked at Google Trends, to figure out where the main targets of this scam were likely located. Obviously in the US, as the main tech support phone numbers were US toll-free numbers. However, we also noticed a British phone number. Google Trends allows you to look up search terms and see the interest over time and the region of interest for that specific search term. We were curious to see if any notable searches on one of the scam topics was googled in the UK often. We checked “activate Norton”, since this was one of the main services the scam network was allegedly offering: activating an expired Norton account.

5

Sure enough, the main regions that googled this term were the US and India. The US is obvious. This is the market the scammers are targeting. But why does India rank higher? One explanation could be testing the search term during the SEO-process. Coincidently, some of the peaks in the interest over time relate to time periods in which new fake sites were created. No notable searches were seen coming from the UK.

As mentioned before, most of the bogus blog posts were created really sloppy, as their sole purpose was to generate backlinks. We also found several sites linked to this scam that were apparently selling software. A lot of these sites were created using predefined templates, in some cases showing the shipping time or the general location on a map.

6

Apparently, the creator of this site had his location (likely based on a geolocation through Google) automatically added and didn’t bother to change it before putting the site online. In any case, he achieved his goal: A backlink to a scam site.

Now that we’ve learned how this scam uses SEO to promote their wrongdoings, is there anything that can be done to effectively tamper this scam network? How about Google, Bing, Yahoo and other major search engines take any site off their listing that features “+1-844-947-4746”.

Except ours, we’re the good guys!

Sector035/Matthias Wilson – 11.08.2019