OSINT Key Findings in the Year 2009

Syria, nonproliferation sanctions, OSINT, Google Dorks and SIGINT. In 2009, these all came together in an interesting investigation.

Earlier this year, I wrote an article about my opinion on the future of OSINT and while doing so, I had to think about how OSINT looked in the past and how it has evolved over the years. Gathering and analyzing information, not only through OSINT, has always been my passion and I’ve been doing this for about 20 years now. Just like the recent project with Sector035, where we unraveled a massive scam network, I have often conducted research on specific topics purely out of curiosity. These side projects were never work related, but the skills I then learned were eventually useful throughout my career. Often, reading a simple news article would send me down a rabbit hole. From looking up related news articles to spending hours on Wikipedia to creating link charts, largescale investigations were always only a mouse-click away.

I just recently recalled a project I worked on in early 2009. It all started with me looking into various nonproliferation sanctions lists. I think it was a news article that sparked my interest. These sanctions were and are imposed on countries that have been accused of trying to procure and/or produce weapons of mass destruction, e.g. nuclear, chemical or biological weapons. I started looking into government and non-government entities from Syria on those lists. Remember, this was back in 2009. There weren’t really many sophisticated OSINT tools back then, so most findings resulted from simple Google queries.

One of the entities I looked at was the Mechanical Construction Factory. Googling this led to millions of results, so I narrowed it down by adding quotation marks: “Mechanical Construction Factory”. My next step was looking for this search term in specific filetypes. PDF or Powerpoint documents have the tendency to contain more relevant information than your average webpage. Adding the filetype-operator in Google led to some rather interesting results.

For example, the Greek Exporters Association (SEVE) posted monthly spreadsheets of tenders originating from Syria. These lists contained information on who requested the offer (including addresses, phone numbers and email-addresses), as well as goods they were seeking to acquire.

1

In order to find all tender spreadsheets on this page, I again used Google dorks. Combining the site-operator with the filetype-operator brought up all the PDFs saved in the 2008 directory. Since I only wanted to look at the PDFs for Syria, I used Google Translate to obtain the Greek spelling of Syria, as each spreadsheet had this somewhere in the document. The final query looked like this:

2

I now had a long list of Syrian companies that had requested to purchase goods from Greece. Not only that, multiple companies used the same phone numbers, so I could assume that they were linked to each other in some way. I recall finding one or two companies that were linked to a sanctioned company by a phone number and that weren’t listed themselves.

Playing around with Google dorks had me find plenty of interesting material to go through. While I can still reproduce the example mentioned above (just try it yourself), the most interesting finding in this case is unfortunately lost.

Back then, Turkey had a government organization named “Undersecretariat for Defence Industries”. The Turkish abbreviation of this was SSM. The SSM-website doesn’t exist anymore, as the organization was renamed and restructured in 2018 (as SSB). This organization posted roughly 150 scanned original tenders from Syria on their website. While not directly accessible through a dedicated page, using the Google dorks had them appear in my queries. These documents contained phone numbers, addresses, signatures and seals that were stamped on the paper. Apparently, they were sent to Turkey in hardcopy or scanned and then sent electronically.

Keep in mind, I did all this at home. This was my hobby and not related to my actual line of work. I was a SIGINTer, not an OSINTer at work, tasked with a completely different area of operations. However, these original documents seemed like something my colleagues working on Syria would also be interested in. I took an example of one of the tender documents to work one day and showed it to the guys at the Syria desk. They could not believe that I had just found this online. Some of them where even convinced that I had access to their data and pulled it from there. I ended up directing them to all the documents I had discovered on the aforementioned Turkish site and they proved to compliment the knowledge the Syria desk already had.

While writing this article, I tried to find the those documents using the Wayback Machine, but as I previously mentioned they weren’t actually located on a site that could be easily accessed. So, they unfortunately weren’t archived. I went through the complete site map in the Wayback Machine with no luck. For those of you who don’t know this function, try it out. It is great to get an overview of the structure of a historic webpage.

3.png

In 2009, many people underestimated the power of OSINT. In 2019, I don’t think many people will make that mistake again. No fancy tools were needed back then, just some Google dorks and perseverance to manually go through hundreds of PDFs. Although things have changed in the OSINT world and continue to change as we move along, I am sure there is still plenty of juicy information that can be found on the internet by just mastering the use of Google operators. Happy hunting, fellow OSINTers!

Matthias Wilson / 27.09.2019

Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.

1

Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.

2

Tapping ‘find contacts’ will show the amount of phone numbers that are linked to  TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.

3.png

If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.                                       4.png

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.

6

There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!

7.png

Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

Matthias Wilson / 13.09.2019

 

Unravelling the Norton Scam – Final Chapter

Gotcha! We found out who is responsible for this massive scam. Using OSINT and social engineering we tracked down the company behind the Norton Scam.

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Chapter 5 – Mistakes on social media

Chapter 6 – Tracing ownership

Final Chapter – Putting the pieces together

Time to finally unravel the Norton scam. Sector and I have decided to conclude our investigations and put the pieces together, after spending countless hours working on this case. Every time we thought we had figured it out, new information was found, taking us down another rabbit hole. Sometimes we spent days following a lead, just to find out that it wasn’t related to our case at all. As with most investigations, we were not able to solve all mysteries, but we are pretty sure we identified the company and some individuals behind this massive scam scheme.

In the last chapter, we pointed out how everything led to specific Indian phone number (+91.9540878969). This number was used to register many of the domains we were looking into. Once more, I decided to make some phone calls to India. I found out that the number belongs to a web design office. The first four phone calls were answered by different men who did not understand English, so they hung up on me. My fifth phone call was more successful. I got a hold of a woman named Priya and told her that a friend of mine had recommend them and that I was looking to have a website set up for me. I had called the right place and I would need to speak to her boss, Priya explained. I also mentioned that the site was to be used as a scam site to obtain credit card data. This too was possible according to Priya. Soon afterwards I had a conversation with the boss, who remained nameless. If I was willing to pay roughly 150$ on PayPal, they would set up the site I needed. With these phone calls, we have proven that the web design office was responsible for setting up the type of scam sites that we have seen throughout our investigations.

1

During our research, we also came across a site which offered web design services to US customers and to which we had actually found legit websites they had created. This is something very common: using a US frontend to sell IT-services that are performed in India. So, not everything the team did was illegal or scam-related.

2

In order to promote the scam sites, another team was responsible for search engine optimization (SEO). The SEO team was most likely also located in the offices of the web design team, probably under the same leadership. Their job is to flood the internet with backlinks in order to promote the scam sites. So far, we have found more than 20,000 entries for this cause. From Facebook posts, to Medium blogs, to comments on non-related webpages; a large variety of backlinks were created in the past year.

3.png

As mentioned in chapter 3, the purpose of the scam is have the victims call one of the tech support phone numbers. Thus, a team of call center agents is required. Remember how the scam works? If an unsuspecting victim calls the number, they provide ‘assistance’ by obtaining remote access to the victim’s computer. In some cases malware is installed, in other cases they ask for credit card data in order to bill the customers for their service.

4.png

These call center agents were hired by a company named 4compserv, which is located at an address that was also used to register some of the identified scam domains. We suspect this is root of all evil, the company behind the scheme. Or at least some employees of the company, since we have also found evidence of 4compserv conducts legal business as well.

5.png

More evidence came up, which proves that the web design office and the call center are definitely related. Shortly after I had spoken to the boss of the web design office, I received a phone call from the number linked to the call center (+91.97117613). Unfortunately, I missed the call and haven’t been able to reach them ever since. Furthermore, one of the scammers I had personally texted with recently updated the CV on his website. Have a look at his current jobs:

6.png

While there are still some questions to be answered, our research has enabled us to have an overall understanding of the network and the techniques used to run their scam, as well as identifying the company most likely behind this scam: 4compserv in Noida, India.

7.png

Along the way, we would often stumble upon funny facts. Some of the scam developers were just so sanguine, they didn’t want to obscure their tracks. Such as the preferred use of the name ‘Nancy Wilson’ to register domains or create sock puppets. The original websites the scammers had set up were very crude, now it seems they are using nice looking WordPress templates, including chatbots. Usually, the chatbot would ask for a phone number, so the scammers can call back. And guess who you would be chatting with on all of these sites? Good ol’ Nancy!

8

We’re done! We managed to find the perpetrators behind all this. What started with a sock puppet on Medium led to unravelling a largescale scam network, targeting unsuspecting victims seeking tech support. We hope that our project may help counter the threat originating from this specific scam and raise awareness for similar schemes. Also, thanks to many of our readers for sharing the posts from this series on Twitter and LinkedIn, ultimetely ranking the articles higher and higher on Google. Using OSINT and social engineering to enable counter-SEO against the scammer’s massive SEO effort!

Now it’s time to relax a bit…before we start the next awesome project!

Sector035/Matthias Wilson – 25.08.2019

We explicitly decided to keep the disclosure of personal information on the investigated individuals to a minimum in these blog posts. However, the complete information gathered is available to law enforcement and/or the companies targeted by this scam upon request.

Unravelling the Norton Scam – Chapter 4

What are backlinks and how are they used in the Norton scam? Our OSINT investigations lead us into the world of SEO.

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Our project started with a fake profile on Medium, which led us to several scam websites claiming to provide tech support. While the total number of these sites hasn’t risen much over the past months, entries promoting this scam on blogs, social media profiles and in comments on other websites have drastically risen. We see this as a crude search engine optimization (SEO) attempt.

Throughout the investigations we found individuals specializing in SEO, who where also likely linked to the network we were tracking. One of the sites that popped up in our search was yahoophonesupports(dot)com. Unlike previous fake sites that used Indian addresses and fake English-named personas, such as Nancy Wilson or Steven Dalton, this one was registered by someone named Jiya with a real looking email address. We had narrowed down our search to the city of Noida in India and the phone number used to register the site was definitely linked to our scam network. While most names used to register domains clearly came from fictitious peoples, maybe this was one was real.

1.png

Searching for the name on Google led to a result that fits the picture: Jiya from Noida offering SEO services.

2.png

Jiya mentions backlinks and blogger outreach, something we have seen in our scam as well. Let me explain the concept of backlinks, also known as inbound links. A backlink is a link on page A referring to page B. Most search engines interpret backlinks as votes on the popularity of a website. So, the more backlinks that lead to page B, the more popular this page seems and thus it will be rated higher in search results. The easiest way to create cheap backlinks is using free blogs, for example Medium. Googling the phone number used in this scam, we come up with over 1.000 Medium posts and sites, each also containing the link to one of the fake support sites, such as nortonhelpus(dot)com.

3.png

We are not only seeing this on Medium, but across many platforms. The amount of backlinks created clearly indicates that we are dealing with a large team of people, as this is probably not possible by one person or a small team alone. The number of search results for the phone number shown above has risen from 4,000 in May to about 21,000 this week and is still rising!

Of course, most posts come from obvious sock puppets, created with fake names and stolen profile pictures. Here’s Brad Pitt, alias James Rocky, offering tech support.

4.png

Once these sites are set up, clicking on the links can be automated, so that the target website (in this case all-emailsupport(dot)com) receives traffic, basically boosting its search index rating. The scam network is not expecting to generate any phone calls or support requests from these obviously fake Medium sites, these are just used in the SEO process for the actual scam site. We have been seeing these SEO-enablers on Twitter, Issuu and basically any platform that allows you to post information “quick and dirty”.

During our project we also looked at Google Trends, to figure out where the main targets of this scam were likely located. Obviously in the US, as the main tech support phone numbers were US toll-free numbers. However, we also noticed a British phone number. Google Trends allows you to look up search terms and see the interest over time and the region of interest for that specific search term. We were curious to see if any notable searches on one of the scam topics was googled in the UK often. We checked “activate Norton”, since this was one of the main services the scam network was allegedly offering: activating an expired Norton account.

5

Sure enough, the main regions that googled this term were the US and India. The US is obvious. This is the market the scammers are targeting. But why does India rank higher? One explanation could be testing the search term during the SEO-process. Coincidently, some of the peaks in the interest over time relate to time periods in which new fake sites were created. No notable searches were seen coming from the UK.

As mentioned before, most of the bogus blog posts were created really sloppy, as their sole purpose was to generate backlinks. We also found several sites linked to this scam that were apparently selling software. A lot of these sites were created using predefined templates, in some cases showing the shipping time or the general location on a map.

6

Apparently, the creator of this site had his location (likely based on a geolocation through Google) automatically added and didn’t bother to change it before putting the site online. In any case, he achieved his goal: A backlink to a scam site.

Now that we’ve learned how this scam uses SEO to promote their wrongdoings, is there anything that can be done to effectively tamper this scam network? How about Google, Bing, Yahoo and other major search engines take any site off their listing that features “+1-844-947-4746”.

Except ours, we’re the good guys!

Sector035/Matthias Wilson – 11.08.2019