Car Spotting and OSINT

Looking for specific car? Next to googling it, you could try a car spotting site to find pictures that might provide further leads for your OSINT investigations.

A while back, @Wondersmith_Rae wrote a great article on maritime OSINT. In this, vessel tracking sites were mentioned, which allow us to identify ships and monitor their movements. Wouldn’t it be neat to have something similar for cars?

While we will never be able to track and identify cars just as good as we can track large ships, this article will provide some useful hints that can help with OSINT on vehicles. But which data is relevant when researching cars and motorcycles? As most vehicles are mass-produced, research based solely on the manufacturer, model and color might be a bit challenging. So, we will need unique identifiers such as the VIN or license plate.

The VIN, or vehicle identification number, is a 17-digit code which is assigned to every vehicle when it’s manufactured. The are several paid databases that will enable looking-up a VIN and retrieving information on the vehicle and possibly its history. If you don’t want to spend money, just try googling the VIN. Since it is so unique, you probably won’t receive a lot of results and thus not many false positives.

1.png

One of my favorite free sites to obtain information on VINs and vehicles in the US is Poctra. This site crawls the web for salvage vehicles and archives all available information and pictures. Let us see what Poctra reveals on the VIN I had googled.

2.png

High-res images, the location of the auction, mileage and sometimes even a license plate. There are plenty of pivot points to conduct more OSINT here.

If we have a license plate, and the car is something a car spotter might take interest in, we might find images of it on various car spotter websites. Next to PlatesMania, my favorite site is Autogespot. Both allow to search by license plate.

Enough theory, time for a practical example. Arsenal London football player Pierre-Emerick Aubameyang was often seen with a Ferrari LaFerrari. Even though he lives in London, this vehicle does not carry a British license plate. A great repository of license plates can be found at World License Plates, in case you have to figure out which country the license plate originates from first. It turns out that Aubameyang’s Ferrari is registered in Germany. His license plate is AIB-Q 1414. Let us see if we can find this car on Autogespot.

By clicking on “More Filters” on the top right of the website, we can define our query.

3

This leads to several results, each containing multiple high-res images. Not all images are publicly accessible if you are not a paying member of Autogespot, but there is a workaround to retrieve the pictures hidden behind the paywall. We’ll get to that in a minute.

4.png

The top left entry shows that Aubameyang’s Ferrari was spotted in London on 21 September 2019 and that this sighting contains 10 pictures. The spotter also links his Instagram account, which might lead to further images. So, make sure you always pivot your investigations to these additional profiles as well.

5.png

6

Sometimes, we can retrieve the other pictures from Autogespot even without paying for a premium account. Just copy the URL of the page you are on and query it in Google.  Then have a look at the image results. Here are the other nine images:

7.png

The information we now obtained is once more useful as a pivot point for further investigations. Maybe we can geolocate the exact location the vehicle was parked at and thus know where Aubamayeng was on 21 September 2019 after lunch. Maybe these pictures could provide evidence that a vehicle was damaged prior to a current insurance claim. There are many reasons why tracking and identifying vehicles may be useful. When researching license plates, keep in mind that a simple search engine query or query within social media might also lead to results. In our case, it leads us to results on Twitter, Instagram and press articles, next to the car spotter sites we have looked at already.

8.png

There are plenty of other platforms worldwide that track vehicles and allow queries by license plate, another one of my personal favorites is Nomerogram (Номерограм) in Russia. This site not only displays luxury cars, but also every-day, ordinary cars. I guess this is related to Russian’s love of dashcams, resulting in a massive amount of video and imagery on all kinds of traffic participants.

9.png

With the techniques and sources shown above, a vehicle can be manually tracked to a certain extent. This tracking, however, will rely on geolocating the image. To practice this, I recommend participating in the @quiztime geolocation challenges on Twitter. In a future blog article, I’ll look at Wigle and see how this platform could help track cars as well.

Until then, have fun looking up exotic cars on the aforementioned sites. That is, unless you prefer going through pictures of banged-up, rusty Ladas on Nomerogram. Hey, I’m not judging!

Matthias Wilson / 07. December 2019

Researching Right-Wing Extremism in Central Europe

How to start investigations on right-wing extremists? Work your way through multiple social media platforms and combine information to generate leads!

The recent Iron March Leak once again showed the extent of right-wing extremism within our society. This leak provided a massive mount of data to conduct online investigations. While Iron March was shut down, the individuals behind it still use many other platforms to disseminate their thoughts and ideas and to communicate among each other. Of course, the new communication channels they use won’t be found with a mere Google search. In order to find such sites, we will have to follow the digital breadcrumbs across various social media networks. In this article, I would like to show starting points for OSINT research and how to work your way through different platforms to identify potentially relevant information when tracking down right-wing extremists.

Looking through social media, we will unfortunately find lots of people that follow a racist or fascist ideology. These people might not be the actual targets we are looking for, but they could lead us to them. Especially in Germany and other central European countries, many people have left Facebook and Twitter after their accounts were temporarily suspended or deleted upon sharing hate speech, which under certain circumstances is a criminal offence. They found refuge on the Russian Facebook-clone VKontakte (short: VK) and Gab, as an alternative to Twitter. In order to access information on these platforms, we will of course have to create sockpuppets. VK also allows logging on with a Facebook-account, as do many other social media platforms.

Let us start our research from scratch. First, we will have to identify individuals that might be worth investigating. Since many of these individuals think of themselves as “patriots” in Germany, searching for this term might lead to some initial results on VK.

1

2.png

Et voilà, the first VK-group to investigate. As you can see, this group also cites a Facebook-page. However, the Facebook-presence has been deleted and does not exist anymore. Going through the posts on this page and having a look at the members clearly shows that we are on the right track. Below are profile pictures of some of the members. Many images shown here, such as the swastika, are banned by law in Germany. Yet, on VK German citizens are free to display their ideology without any notable repercussions.

3

While the information posted within the VK-Group “German Patriots” might not lead to real extremist sites, the information shared by members of the group on their personal profiles could get us there. With no way of automating the next step, one of the most important OSINT traits is now needed: perseverance. This means we will have look at a number of these personal profiles manually to find new leads. Instead of going through all 2000+ member-profiles, let us concentrate on the ones with the most disturbing profile pictures. One interesting aspect during this investigation, is the fact that many people that can be found here have Russian-ancestry. This means we might also find information on another Russian social platform called Odnoklassniki (short: OK). Keep this in mind when conducting OSINT on people of Russian origin.

It doesn’t take long and we find hints towards the use of other platforms and communication channels outside of VK. Some individuals have posted their Skype-usernames, some link Telegram channels. One post from January 2018 describes an independent message board outside of Facebook and VK. The author invites people to join this outside platform by commenting or liking the post, after which he will get in contact with them and invite them to the newly created site. Interestingly, he doesn’t disclose the name or URL of his VK and Facebook alternative.

4

The author hasn’t publicly been active on VK since this post, although he did access it just two days ago. VK displays the last time of user activity, a useful feature to determine if the account is still active, even if nothing is publicly posted.

5

Regarding the unspecified platform mentioned above, I remembered stumbling upon such a site while conducting a similar search on Facebook. There I had also started by looking for profiles and pages containing derivations of “patriot”. This led me to a page called “Patrioten-Treff”, promoting a Facebook-like platform.

6.png

It turns out that this project started in early or mid-2017 and by December 2017/January 2018 it had opened to public. It was exactly the type of right-wing extremist forum I was looking for.

7.png

8.png

Online shops, racist discussions, team speak servers, organized events; “Patrioten-Treff” had it all. By linking the information I had found on VK and Facebook, it is likely that the person I had come across on VK was actually part of the team behind this new right-wing social media alternative. By early 2019 it was offline, but the content displayed there was more radical than anything seen on standard social media. Regarding the reason it shut down, it could be out of lack of funding. Before “Patrioten-Treff” was taken down, they requested funding to cover the expenses. Payment could be made by Bitcoin, direct transfer, Alipay and Paypal. Again, providing further leads to conduct OSINT investigations.

9.png

Patrioten-Treff had 2,500 users and was not even able to raise 80 Euros a month. I guess right-wing extremists are a bit stingy. Next to financial support, content moderators were needed. These moderators would communicate using WhatsApp.

10.png

While Patrioten-Treff is currently offline, the Facebook-page continues to be active every once and while. A recent post from September 2019 shared a Telegramm channel of the German neo-Nazi party Der III. Weg.

11

In this cross-domain investigation, manually searching for information on one social media platform led us to a plethora of new starting points to dive into. From VK to Skype, from Facebook to Telegram, from Bitcoin to WhatsApp; there are now plenty of leads to follow up upon. Not all leads can be investigated with OSINT, but this type of intelligence might provide the information we need to conduct Virtual HUMINT (VUMINT), enabling an infiltration of the new message board, Telegram channels or WhatsApp groups. I didn’t go that far, but I’m sure someone or some organization did.

By the way, the methodology described above can also be used to track other extremist groups. I wonder if other groups are just as cheap as the right-wing that couldn’t raise 80 Euros to host a website?

Matthias Wilson / 01.12.2019

Communications Security on Iron March – An Intelligence Analysis

How do right-wing extremists secure their communications? The recent Iron March data leak gives insight into how its members tried to communicate outside the message board.

The recent leakage of a massive white supremacist message board named Iron March  sparked a wave of independent investigations by people all of over the world. The data contained in this leak provides many leads to practice OSINT skills in various disciplines. Whether it is googling usernames, correlating email addresses to social media profiles or looking up information on some of the domains shared on this message board; the breached data is a starting point for a plethora of different OSINT methods. Of course, I couldn’t resist and also took a dive into this leak as well! I decided to have a look at the content that was posted on Iron March. Not so much OSINT here, it is more general intelligence analysis I will be applying. One of the challenges was actually defining a clear goal. What did I want to unravel here? Did I want to reconstruct organizational structures? Did I want to investigate individuals and their backgrounds? Did I want to look at certain events?

Without narrowly defined intelligence requirements and thus key intelligence questions that should be answered, approaching such a big amount of data in a methodological way is nearly impossible. After reading the first couple of Iron March messages, I realized that the users often discussed others means of communication outside of the message board. So, I decided that my first goal would be to analyze the communications, security measures and the evolution of communications within this network. Having a better understanding of this topic will surely help the OSINT community to understand where to look for further information during this investigation.

When Iron March was set up, many users migrated from a previous platform called ITPF. Background information on both platforms can be found here. The first posts on Iron March clearly showed, that the users would regularly communicate outside of the message board as well. Among the these outside channels were mainly Skype, MSN, AIM and Facebook.

“You should download Skype it is a good service. Also you can use it just like MSN; you can type, I type most of the time.” Post on 23.09.2011 by Kacen (ID2)

“Not sure if you’re interested but I thought I’d ask, I’m launching a study group for American Fascism/Nationalism quite soon via facebook.” Post on 24.11.2011 by American_Blackshirt (ID35)

Eventually, members of Iron March even set up Skype groups to ensure communications. This enabled them to communicate directly with each other without delay, as it would have been on Iron March. At the time, Skype appeared secure to the members of the message board and was soon the preferred outside communication channel. Occasionally, other channels would also be used to communicate, sometimes even including gaming platforms.

“We have a good number of people in the Skype group and you should join.” Post on 25.01.2011 by Blood and Iron (ID3)

“do you have facebook, or steam, bf3 battlelog or something where us 2 can converse?” Post on 02.07.2012 by unkown

 The main reason people would use external messengers to communicate, was that they were more practical than using Iron March’s private messaging system. To gain access to Iron March PMs, the site had to be open in the browser. MSN and other messengers were client-based and could run in the background, immediately informing users of incoming messages. By late 2012, AIM and MSN were also still used frequently, something that would soon change after Microsoft discontinued MSN as a service in 2013.

“Hobbit, do you have MSN? A lot more practical than talking through PMs.” Post on 27.06.2012 by Damnatio Memoriae (ID279)

“Alright, I’ll get back to you again tomorrow, with my AIM, MSN, and SKYPE info.“ Post on 10.10.2012 by social_justice (ID17)

As early as mid 2012, many users were slowly turning away from Facebook, stating privacy issues as their main reason.

“I don’t use facebook anymore, it gives too much information away even if you use a proxy and false information, it’s an easy way to keep a “paper trail” on someone, so to speak.” Post on 03.07.2012 by Nebuchadnezzar II (ID288)

The use of external channels remained mostly unchanged until 2015, when new messaging and chat services started to appear on Iron March. Telegram and Tox were among the most popular services and were viewed as more secure than Skype. This also led to the exchange of Tox IDs, so the members could identify each other on the chat application.

“I need to get in contact with you. Download Tox and make an account with a secure login.” Post on 08.08.2015 by Fascism=Fun (ID7962)

“Another thing I wanna recommend is to use Telegram or Tox instead of Skype for organisational procedures and meetings. These are really good ways of communicating, and I know of three NatSoc and Fascist organisations within the U.S that use these services because of their security.” Post on 05.02.2016 by TheWeissewolfe (ID9304)

The post above is actually from the deputy leader of the infamous Atomwaffen Division. Whenever someone was interested in joining this organization, they were told to use Tox or Telegram for further communications. However, there was still a reasonable amount of doubt regarding the security of these new communication channels. Discussions about adding an extra layer of encryption ensued.

“Yeah I’m well aware the skype is compromised. Literally everything Microsoft is and has been for over a decade. Tox isn’t but it’s a WIP. Discord I don’t know much about but no doubt it is too. Secure channels aren’t really possible without doing your own encryption.” Post on 21.05.2016 by Xav (ID9476)

While most members of Iron March were very naïve in terms of operational security or communications security, some members had a fairly good understanding of the risks in open communications. One of these members was Atlas (ID9174), who claimed to be responsible for network and computer security for the British group National Action.

“Hi, I’m in charge of computer and online network security with National Action.” Post on 23.08.2015 by Atlas (ID9174)

Atlas often provided guidance on the use of secure emails and encryption with PGP. Overall, members were made aware not to use Hushmail and to rely on Protonmail or Tutonota instead. When sending emails to other providers they were to use PGP. He even wrote a PGP guide for National Action and distributed it on Iron March as well.

“Good job I just designed a PGP guide for National Action then, I’ll email you it, what’s your email?” Post on 01.09.2015 by Atlas (ID9174)

Other activities included checking the security of hosting servers. One of the most interesting conversations I have found in this dump so far was between Atlas and the founder and leader of the Atomwaffen Division, Odin. In September 2015, Odin reached out to Atlas regarding issues with PGP.

“Hello comrade I need to have my pgp shit setup properly and to be able to use it for communications with certain people before this weekend. I would be very greatful if you could help me.” Post on 14.09.2015 by Odin (ID7600)

Although many security measures were put in place, a lot of members of Iron March still were fairly confident that their activities had not drawn the attention of law enforcement yet. Some even openly expressed their total negligence of security openly on the message board. There was more fear of being doxed by left-wing organizations than becoming a target of police investigations.

“I’m glad you all understood the necessity for security. Here on IM I was shot down for daring to suggest such a necessity on the basis of: We don’t need it, we’re not ISIS. I ripped off all my ideas from some corny website anyway (that website being my blog btw lol).” Post on 04.05.2015 by Atlas (ID9174)

“The use of TOR, fake names, and these secure channels is more of security culture thing – we are not being actively monitored by say, the government (at least that is my personal opinon based on the information I have) but it encourages people to act more sensibly so they don’t get themselves doxed by leftists. I don’t like hearing about workplaces getting phoned up or individuals being exposed in the newspapers. Since the mirror article on my a couple of years ago practically everyone has been able to maintain a degree of anonymity. Obviously if they ever decide to raid anyone they are not going to find anything that can be used to build a case around them.” Post on 10.04.2016 by Daddy Terror (ID7)

Given the fact, that Daddy Terror (ID7) was the leader of the National Action movement in Great Britain, this statement is truly remarkable and shows how safe some of the members of these extremist communities felt in their online communications. Next to the platforms already revealed above, there were several other communications channels that were occasionally mentioned, e.g. Discord and even MySpace in the early days of Iron March. In the end, the use of external secure communications and additional encryption were blasted when the message board itself was hacked in 2017 and the data was recently leaked, exposing the identities and ideas of many members.

Thank god the Iron March admins didn’t have proper security measures in place and hopefully this data leak will help law enforcement worldwide investigate some of the malicious activities planned and discussed on the message board. Until then, I’ll continue to dig into this data, together with other OSINT enthusiasts, and see what stories can be unraveled next.

Matthias Wilson / 09.11.2019

 

OSINT Key Findings in the Year 2009

Syria, nonproliferation sanctions, OSINT, Google Dorks and SIGINT. In 2009, these all came together in an interesting investigation.

Earlier this year, I wrote an article about my opinion on the future of OSINT and while doing so, I had to think about how OSINT looked in the past and how it has evolved over the years. Gathering and analyzing information, not only through OSINT, has always been my passion and I’ve been doing this for about 20 years now. Just like the recent project with Sector035, where we unraveled a massive scam network, I have often conducted research on specific topics purely out of curiosity. These side projects were never work related, but the skills I then learned were eventually useful throughout my career. Often, reading a simple news article would send me down a rabbit hole. From looking up related news articles to spending hours on Wikipedia to creating link charts, largescale investigations were always only a mouse-click away.

I just recently recalled a project I worked on in early 2009. It all started with me looking into various nonproliferation sanctions lists. I think it was a news article that sparked my interest. These sanctions were and are imposed on countries that have been accused of trying to procure and/or produce weapons of mass destruction, e.g. nuclear, chemical or biological weapons. I started looking into government and non-government entities from Syria on those lists. Remember, this was back in 2009. There weren’t really many sophisticated OSINT tools back then, so most findings resulted from simple Google queries.

One of the entities I looked at was the Mechanical Construction Factory. Googling this led to millions of results, so I narrowed it down by adding quotation marks: “Mechanical Construction Factory”. My next step was looking for this search term in specific filetypes. PDF or Powerpoint documents have the tendency to contain more relevant information than your average webpage. Adding the filetype-operator in Google led to some rather interesting results.

For example, the Greek Exporters Association (SEVE) posted monthly spreadsheets of tenders originating from Syria. These lists contained information on who requested the offer (including addresses, phone numbers and email-addresses), as well as goods they were seeking to acquire.

1

In order to find all tender spreadsheets on this page, I again used Google dorks. Combining the site-operator with the filetype-operator brought up all the PDFs saved in the 2008 directory. Since I only wanted to look at the PDFs for Syria, I used Google Translate to obtain the Greek spelling of Syria, as each spreadsheet had this somewhere in the document. The final query looked like this:

2

I now had a long list of Syrian companies that had requested to purchase goods from Greece. Not only that, multiple companies used the same phone numbers, so I could assume that they were linked to each other in some way. I recall finding one or two companies that were linked to a sanctioned company by a phone number and that weren’t listed themselves.

Playing around with Google dorks had me find plenty of interesting material to go through. While I can still reproduce the example mentioned above (just try it yourself), the most interesting finding in this case is unfortunately lost.

Back then, Turkey had a government organization named “Undersecretariat for Defence Industries”. The Turkish abbreviation of this was SSM. The SSM-website doesn’t exist anymore, as the organization was renamed and restructured in 2018 (as SSB). This organization posted roughly 150 scanned original tenders from Syria on their website. While not directly accessible through a dedicated page, using the Google dorks had them appear in my queries. These documents contained phone numbers, addresses, signatures and seals that were stamped on the paper. Apparently, they were sent to Turkey in hardcopy or scanned and then sent electronically.

Keep in mind, I did all this at home. This was my hobby and not related to my actual line of work. I was a SIGINTer, not an OSINTer at work, tasked with a completely different area of operations. However, these original documents seemed like something my colleagues working on Syria would also be interested in. I took an example of one of the tender documents to work one day and showed it to the guys at the Syria desk. They could not believe that I had just found this online. Some of them where even convinced that I had access to their data and pulled it from there. I ended up directing them to all the documents I had discovered on the aforementioned Turkish site and they proved to compliment the knowledge the Syria desk already had.

While writing this article, I tried to find the those documents using the Wayback Machine, but as I previously mentioned they weren’t actually located on a site that could be easily accessed. So, they unfortunately weren’t archived. I went through the complete site map in the Wayback Machine with no luck. For those of you who don’t know this function, try it out. It is great to get an overview of the structure of a historic webpage.

3.png

In 2009, many people underestimated the power of OSINT. In 2019, I don’t think many people will make that mistake again. No fancy tools were needed back then, just some Google dorks and perseverance to manually go through hundreds of PDFs. Although things have changed in the OSINT world and continue to change as we move along, I am sure there is still plenty of juicy information that can be found on the internet by just mastering the use of Google operators. Happy hunting, fellow OSINTers!

Matthias Wilson / 27.09.2019

Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.

1

Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.

2

Tapping ‘find contacts’ will show the amount of phone numbers that are linked to  TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.

3.png

If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.                                       4.png

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.

6

There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!

7.png

Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

Matthias Wilson / 13.09.2019

 

Unravelling the Norton Scam – Final Chapter

Gotcha! We found out who is responsible for this massive scam. Using OSINT and social engineering we tracked down the company behind the Norton Scam.

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Chapter 5 – Mistakes on social media

Chapter 6 – Tracing ownership

Final Chapter – Putting the pieces together

Time to finally unravel the Norton scam. Sector and I have decided to conclude our investigations and put the pieces together, after spending countless hours working on this case. Every time we thought we had figured it out, new information was found, taking us down another rabbit hole. Sometimes we spent days following a lead, just to find out that it wasn’t related to our case at all. As with most investigations, we were not able to solve all mysteries, but we are pretty sure we identified the company and some individuals behind this massive scam scheme.

In the last chapter, we pointed out how everything led to specific Indian phone number (+91.9540878969). This number was used to register many of the domains we were looking into. Once more, I decided to make some phone calls to India. I found out that the number belongs to a web design office. The first four phone calls were answered by different men who did not understand English, so they hung up on me. My fifth phone call was more successful. I got a hold of a woman named Priya and told her that a friend of mine had recommend them and that I was looking to have a website set up for me. I had called the right place and I would need to speak to her boss, Priya explained. I also mentioned that the site was to be used as a scam site to obtain credit card data. This too was possible according to Priya. Soon afterwards I had a conversation with the boss, who remained nameless. If I was willing to pay roughly 150$ on PayPal, they would set up the site I needed. With these phone calls, we have proven that the web design office was responsible for setting up the type of scam sites that we have seen throughout our investigations.

1

During our research, we also came across a site which offered web design services to US customers and to which we had actually found legit websites they had created. This is something very common: using a US frontend to sell IT-services that are performed in India. So, not everything the team did was illegal or scam-related.

2

In order to promote the scam sites, another team was responsible for search engine optimization (SEO). The SEO team was most likely also located in the offices of the web design team, probably under the same leadership. Their job is to flood the internet with backlinks in order to promote the scam sites. So far, we have found more than 20,000 entries for this cause. From Facebook posts, to Medium blogs, to comments on non-related webpages; a large variety of backlinks were created in the past year.

3.png

As mentioned in chapter 3, the purpose of the scam is have the victims call one of the tech support phone numbers. Thus, a team of call center agents is required. Remember how the scam works? If an unsuspecting victim calls the number, they provide ‘assistance’ by obtaining remote access to the victim’s computer. In some cases malware is installed, in other cases they ask for credit card data in order to bill the customers for their service.

4.png

These call center agents were hired by a company named 4compserv, which is located at an address that was also used to register some of the identified scam domains. We suspect this is root of all evil, the company behind the scheme. Or at least some employees of the company, since we have also found evidence of 4compserv conducts legal business as well.

5.png

More evidence came up, which proves that the web design office and the call center are definitely related. Shortly after I had spoken to the boss of the web design office, I received a phone call from the number linked to the call center (+91.97117613). Unfortunately, I missed the call and haven’t been able to reach them ever since. Furthermore, one of the scammers I had personally texted with recently updated the CV on his website. Have a look at his current jobs:

6.png

While there are still some questions to be answered, our research has enabled us to have an overall understanding of the network and the techniques used to run their scam, as well as identifying the company most likely behind this scam: 4compserv in Noida, India.

7.png

Along the way, we would often stumble upon funny facts. Some of the scam developers were just so sanguine, they didn’t want to obscure their tracks. Such as the preferred use of the name ‘Nancy Wilson’ to register domains or create sock puppets. The original websites the scammers had set up were very crude, now it seems they are using nice looking WordPress templates, including chatbots. Usually, the chatbot would ask for a phone number, so the scammers can call back. And guess who you would be chatting with on all of these sites? Good ol’ Nancy!

8

We’re done! We managed to find the perpetrators behind all this. What started with a sock puppet on Medium led to unravelling a largescale scam network, targeting unsuspecting victims seeking tech support. We hope that our project may help counter the threat originating from this specific scam and raise awareness for similar schemes. Also, thanks to many of our readers for sharing the posts from this series on Twitter and LinkedIn, ultimetely ranking the articles higher and higher on Google. Using OSINT and social engineering to enable counter-SEO against the scammer’s massive SEO effort!

Now it’s time to relax a bit…before we start the next awesome project!

Sector035/Matthias Wilson – 25.08.2019

We explicitly decided to keep the disclosure of personal information on the investigated individuals to a minimum in these blog posts. However, the complete information gathered is available to law enforcement and/or the companies targeted by this scam upon request.