Be careful what you OSINT with

There are lots of neat OSINT platforms out there to make your life easier. But how many of you vet the software before using it? Not every platform should be entrusted with sensitive data as this case reveals.

1

In January 2019 I was tagged on Twitter, asking for my input on an OSINT platform named Lampyre. Before I use any type of software, I try to vet it as good as possible. This includes OSINT research on the company, asking tech-savy people I know for their opinion and ultimately reaching out to the company itself. No one had really heard of the software at that time, no one was using it, and I couldn’t really find much background information online. I ended up contacting Lampyre and asking them where they came from, what their background was and a couple of other questions. Unfortunately, they only sent evasive answers. They wouldn’t even tell me which country they were based in. I tried the software on one of my VMs and tested it with fake or non-relevant data. To be honest, I did like what I saw, but I decided not to use it operationally. As time passed, I noticed that many OSINTers started using the software and decided to have another look into the company and people behind it. It turns out, I was right not to use this platform. Lampyre isn’t who they claim they are. I teamed up with several helpful elves (to be honest, they did most of the work) and we found some pretty disturbing information.

Lampyre is apparently made by a company in Budapest (Hungary) called Data Tower. The company itself was registered in February 2019 and the CEO and sole shareholder is Laszlo Schmidt. The original address used to register the company leads to a law firm and the phone number that Data Tower provides belongs to another law firm in which Laszslo Schmidt is working as a lawyer. This information points to the fact that Data Tower is merely a shell company. So, how do you we get to the people behind Lampyre?

Looking into their online presence doesn’t lead to any notable individuals either. Some of the names used, such as John Galt, are most likely pseudonyms or fake accounts. Since searching for people didn’t provide any leads, we decided to look into the traffic that Lampyre sends to its back end in each query. The queries contain a brief description on what is requested and apparently the local language used by the developers is Russian, as each description is written not only in English but also in Russian.

2

Why should a company based in Hungary use Russian as their local language setting? Of course, the developers could be Russians working in Budapest, but again something just doesn’t seem right here: an organization that shows signs of being a shell company, the lack of transparency when directly confronted and now indications that point towards Russia. Decompiling the software showed further Russian language embedded in the code:

3

While this was being done, more OSINT research revealed a person named Andrey Skhomenko. This guy posted Python modules for Lampyre on Github and knew about the product in March 2018, way before it was released to public in October 2018. Andrey is based in Moscow and used to have a LinkedIn profile as well (which has been deleted in the meantime).

4

According to his LinkedIn, Andrey worked for the Russian Federal Security Service (also known as FSB) in the past and is now working for a company called Norsi-Trans. Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government. It turns out that Norsi Trans also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).

5

The overall look of this platform reminded me of something I had seen before. Oh, that’s right! Both Lampyre and Vitok-OSINT have that Win95/Win98 appearance, not only in the network visualization, but also the software itself.

6

So far, this was just a gut feeling. Could anymore evidence be found that would link these two products and thus Norsi Trans and Data Tower? You bet? We pulled the certificates used by Lampyre and saw that they were registered in Russia and even more compelling: one of the certificates made a direct reference to Vitok.

7

This was the final nail in the coffin. Lampyre and Norsi Trans are in fact connected! While there is still plenty to be discovered, I think we have proof that Lampyre and Data Tower are not fully honest. And as everything you query in Lampyre is probably sent to Russian servers, I am happy I decided not to use this tool in my private and professional investigations. After all, Russia mandates decryption for domestic services.

Maybe Lampyre is Norsi Trans’ attempt to sell their software in the western world, maybe it is a rogue operation by a Norsi Trans employee (or a few). Although, I personally have doubts about that second theory. The software is quite powerful and receives regular updates. To create something like this, you’d surely need more than one person and having a rogue team within a company try to pull this off would surely not go unnoticed. What I find most interesting, is the fact that Andrey stated he had worked for the FSB. To put it in the words of one of my former colleagues: You don’t leave Russian intelligence services, you just change your cover and continue working for them.

Matthias Wilson / 23.03.2020

My First Professional Social Engineering Job

Can you remember the first time you manipulated someone to give you information? The first time I used social engineering professionally to obtain information resulted in loads of pics of cool fighter aircraft.

This week my digital photo album made me aware of some pictures from a deployment in Afghanistan exactly 15 years ago and reminded me of one adventure I had while trying to obtain information on a specific air traffic control radar.

Why is this adventure still relevant to me so many years later? Well, back then I was in a Signals Intelligence (SIGINT) unit, but this task required some Human Intelligence (HUMINT) skills. Or, speaking in civilian terms: Social Engineering. It was actually the first time I had directly gathered information from a conversation with my intelligence target, rather than relying on communications being intercepted. While I had quite the experience stepping into other characters in my free time (these are stories more suitable for a night out), I had never before tried this in my professional career.

A lot has been said and written about successfully manipulating people to make them give you information or allow access to restricted areas. For me, the most important aspect is the ability to read other people’s emotions and sentiment towards oneself and to anticipate their reactions. I think it is much like a game of chess and whoever plans several steps ahead, will be in control. To achieve this, I have learned that it is important to have your counterpart feel comfortable and give him or her the feeling that they are in control of the situation at all times. Last but not least, you should always have a good cover story, or pretext. Instead of going on about the methodology of social engineering in theory, I would just like to share my adventure with you.

In January 2015, I was stationed in Kabul (Afghanistan) with an electronic warfare detachment. Our parent unit back in Germany was in charge of monitoring radar systems worldwide, as part of their Electronic Intelligence (ELINT) mission. They had a large database in which they gathered information on all types of radars. Not only those used by potential adversaries, but also from allied nations. One day our detachment was asked to travel to a nearby US airbase, because a new air traffic control radar was apparently installed there. If possible, we were to take a picture of this new system, which would then be uploaded to the database. This should be a simple task. Fluent in English, I was asked to join this “mission”. After driving for about an hour, we arrived at the airbase and soon noticed that there was no way to get a clean shot of the radar system. Of course, it was located on the flight line. I knew we couldn’t just ask to see that radar system, as itwould seem a little bit too suspicious, and I also knew that “sightseeing” tours of the aircraft were fairly common. There actually is a German word to describe this: Gefechtsfeldtourismus.

One of the guys with us was an old German air force sergeant major and I came up with a pretext that might enable access to the flight line. We walked up to the nearest security office at one of the gates and I stepped into character. I introduced ourselves as a German patrol, which just happened to visit this air base in order to go to the PX and that my sergeant major was command sergeant major of a German fighter squadron back home. Obviously, I couldn’t state we were part of an electronic warfare detachment. And as it was the sergeant major’s final deployment before retirement, we kindly requested to get him one last look some of some the aircraft. A plausible (and made up) pretext, a direct and firm request and most important: leading this conversation with a friendly and calm demeanor. After all, a smile can open doors.

Soon afterwards, a young A-10 pilot showed up and gave us a full flight line tour. We had achieved step one and gained access to the flight line. We spent the next half hour of so walking around, taking pictures and acting like tourists. Now step two: get some pictures of the radar and possibly some additional information on it. In order to achieve this goal, I switched characters. While I was very serious, yet calm and friendly, to get inside, I was now the kid in the candy store.

What’s that? Can I look at that? Gosh, that’s cool.

I wanted it to appear as if I had no idea what everything around me was, so that when I asked questions it would seem like I was asking more out of personal interest than having a professional agenda.

Is that the control tower? I bet you have a great view from up there!

This got us into the control tower. It was manned by two civilian contractors who never really received any visitors. After all, most people would go have a look at the aircraft. Again, I was the kid in the candy store, asking many questions. The guys felt flattered that someone was interested in their work, they felt like they had the upper hand and ultimately shared a lot of information. I pointed to the radar.

What’s that green thing with the revolving dish?

From there on, I got a full briefing on my actual target. Frequencies, ranges, current issues and some more technical gibberish. Lastly, a couple of close-up pics as well. While many of you may think this was just a fun adventure, it was actually hard work. I had to memorize what I had heard and thus stay concentrated while remaining in character. I couldn’t take notes and I couldn’t record anything. I think this is one of the most challenging aspects of any social engineering attempt. Memorizing new information, while trying keep your pretext in mind.

After one and half hours the tour was finished. Personally, I got some awesome pictures of the aircraft, Professionally, I accomplished the mission. The information I had collected and the close-up pictures of the radar system were reported to our parent unit and they were quite surprised.

How did you get all this?

I just asked friendly 😊

BAF2015Gefechtsfeldtourismus

Matthias Wilson / 14.01.2020

Communications Security on Iron March – An Intelligence Analysis

How do right-wing extremists secure their communications? The recent Iron March data leak gives insight into how its members tried to communicate outside the message board.

The recent leakage of a massive white supremacist message board named Iron March  sparked a wave of independent investigations by people all of over the world. The data contained in this leak provides many leads to practice OSINT skills in various disciplines. Whether it is googling usernames, correlating email addresses to social media profiles or looking up information on some of the domains shared on this message board; the breached data is a starting point for a plethora of different OSINT methods. Of course, I couldn’t resist and also took a dive into this leak as well! I decided to have a look at the content that was posted on Iron March. Not so much OSINT here, it is more general intelligence analysis I will be applying. One of the challenges was actually defining a clear goal. What did I want to unravel here? Did I want to reconstruct organizational structures? Did I want to investigate individuals and their backgrounds? Did I want to look at certain events?

Without narrowly defined intelligence requirements and thus key intelligence questions that should be answered, approaching such a big amount of data in a methodological way is nearly impossible. After reading the first couple of Iron March messages, I realized that the users often discussed others means of communication outside of the message board. So, I decided that my first goal would be to analyze the communications, security measures and the evolution of communications within this network. Having a better understanding of this topic will surely help the OSINT community to understand where to look for further information during this investigation.

When Iron March was set up, many users migrated from a previous platform called ITPF. Background information on both platforms can be found here. The first posts on Iron March clearly showed, that the users would regularly communicate outside of the message board as well. Among the these outside channels were mainly Skype, MSN, AIM and Facebook.

“You should download Skype it is a good service. Also you can use it just like MSN; you can type, I type most of the time.” Post on 23.09.2011 by Kacen (ID2)

“Not sure if you’re interested but I thought I’d ask, I’m launching a study group for American Fascism/Nationalism quite soon via facebook.” Post on 24.11.2011 by American_Blackshirt (ID35)

Eventually, members of Iron March even set up Skype groups to ensure communications. This enabled them to communicate directly with each other without delay, as it would have been on Iron March. At the time, Skype appeared secure to the members of the message board and was soon the preferred outside communication channel. Occasionally, other channels would also be used to communicate, sometimes even including gaming platforms.

“We have a good number of people in the Skype group and you should join.” Post on 25.01.2011 by Blood and Iron (ID3)

“do you have facebook, or steam, bf3 battlelog or something where us 2 can converse?” Post on 02.07.2012 by unkown

 The main reason people would use external messengers to communicate, was that they were more practical than using Iron March’s private messaging system. To gain access to Iron March PMs, the site had to be open in the browser. MSN and other messengers were client-based and could run in the background, immediately informing users of incoming messages. By late 2012, AIM and MSN were also still used frequently, something that would soon change after Microsoft discontinued MSN as a service in 2013.

“Hobbit, do you have MSN? A lot more practical than talking through PMs.” Post on 27.06.2012 by Damnatio Memoriae (ID279)

“Alright, I’ll get back to you again tomorrow, with my AIM, MSN, and SKYPE info.“ Post on 10.10.2012 by social_justice (ID17)

As early as mid 2012, many users were slowly turning away from Facebook, stating privacy issues as their main reason.

“I don’t use facebook anymore, it gives too much information away even if you use a proxy and false information, it’s an easy way to keep a “paper trail” on someone, so to speak.” Post on 03.07.2012 by Nebuchadnezzar II (ID288)

The use of external channels remained mostly unchanged until 2015, when new messaging and chat services started to appear on Iron March. Telegram and Tox were among the most popular services and were viewed as more secure than Skype. This also led to the exchange of Tox IDs, so the members could identify each other on the chat application.

“I need to get in contact with you. Download Tox and make an account with a secure login.” Post on 08.08.2015 by Fascism=Fun (ID7962)

“Another thing I wanna recommend is to use Telegram or Tox instead of Skype for organisational procedures and meetings. These are really good ways of communicating, and I know of three NatSoc and Fascist organisations within the U.S that use these services because of their security.” Post on 05.02.2016 by TheWeissewolfe (ID9304)

The post above is actually from the deputy leader of the infamous Atomwaffen Division. Whenever someone was interested in joining this organization, they were told to use Tox or Telegram for further communications. However, there was still a reasonable amount of doubt regarding the security of these new communication channels. Discussions about adding an extra layer of encryption ensued.

“Yeah I’m well aware the skype is compromised. Literally everything Microsoft is and has been for over a decade. Tox isn’t but it’s a WIP. Discord I don’t know much about but no doubt it is too. Secure channels aren’t really possible without doing your own encryption.” Post on 21.05.2016 by Xav (ID9476)

While most members of Iron March were very naïve in terms of operational security or communications security, some members had a fairly good understanding of the risks in open communications. One of these members was Atlas (ID9174), who claimed to be responsible for network and computer security for the British group National Action.

“Hi, I’m in charge of computer and online network security with National Action.” Post on 23.08.2015 by Atlas (ID9174)

Atlas often provided guidance on the use of secure emails and encryption with PGP. Overall, members were made aware not to use Hushmail and to rely on Protonmail or Tutonota instead. When sending emails to other providers they were to use PGP. He even wrote a PGP guide for National Action and distributed it on Iron March as well.

“Good job I just designed a PGP guide for National Action then, I’ll email you it, what’s your email?” Post on 01.09.2015 by Atlas (ID9174)

Other activities included checking the security of hosting servers. One of the most interesting conversations I have found in this dump so far was between Atlas and the founder and leader of the Atomwaffen Division, Odin. In September 2015, Odin reached out to Atlas regarding issues with PGP.

“Hello comrade I need to have my pgp shit setup properly and to be able to use it for communications with certain people before this weekend. I would be very greatful if you could help me.” Post on 14.09.2015 by Odin (ID7600)

Although many security measures were put in place, a lot of members of Iron March still were fairly confident that their activities had not drawn the attention of law enforcement yet. Some even openly expressed their total negligence of security openly on the message board. There was more fear of being doxed by left-wing organizations than becoming a target of police investigations.

“I’m glad you all understood the necessity for security. Here on IM I was shot down for daring to suggest such a necessity on the basis of: We don’t need it, we’re not ISIS. I ripped off all my ideas from some corny website anyway (that website being my blog btw lol).” Post on 04.05.2015 by Atlas (ID9174)

“The use of TOR, fake names, and these secure channels is more of security culture thing – we are not being actively monitored by say, the government (at least that is my personal opinon based on the information I have) but it encourages people to act more sensibly so they don’t get themselves doxed by leftists. I don’t like hearing about workplaces getting phoned up or individuals being exposed in the newspapers. Since the mirror article on my a couple of years ago practically everyone has been able to maintain a degree of anonymity. Obviously if they ever decide to raid anyone they are not going to find anything that can be used to build a case around them.” Post on 10.04.2016 by Daddy Terror (ID7)

Given the fact, that Daddy Terror (ID7) was the leader of the National Action movement in Great Britain, this statement is truly remarkable and shows how safe some of the members of these extremist communities felt in their online communications. Next to the platforms already revealed above, there were several other communications channels that were occasionally mentioned, e.g. Discord and even MySpace in the early days of Iron March. In the end, the use of external secure communications and additional encryption were blasted when the message board itself was hacked in 2017 and the data was recently leaked, exposing the identities and ideas of many members.

Thank god the Iron March admins didn’t have proper security measures in place and hopefully this data leak will help law enforcement worldwide investigate some of the malicious activities planned and discussed on the message board. Until then, I’ll continue to dig into this data, together with other OSINT enthusiasts, and see what stories can be unraveled next.

Matthias Wilson / 09.11.2019

 

OSINT Key Findings in the Year 2009

Syria, nonproliferation sanctions, OSINT, Google Dorks and SIGINT. In 2009, these all came together in an interesting investigation.

Earlier this year, I wrote an article about my opinion on the future of OSINT and while doing so, I had to think about how OSINT looked in the past and how it has evolved over the years. Gathering and analyzing information, not only through OSINT, has always been my passion and I’ve been doing this for about 20 years now. Just like the recent project with Sector035, where we unraveled a massive scam network, I have often conducted research on specific topics purely out of curiosity. These side projects were never work related, but the skills I then learned were eventually useful throughout my career. Often, reading a simple news article would send me down a rabbit hole. From looking up related news articles to spending hours on Wikipedia to creating link charts, largescale investigations were always only a mouse-click away.

I just recently recalled a project I worked on in early 2009. It all started with me looking into various nonproliferation sanctions lists. I think it was a news article that sparked my interest. These sanctions were and are imposed on countries that have been accused of trying to procure and/or produce weapons of mass destruction, e.g. nuclear, chemical or biological weapons. I started looking into government and non-government entities from Syria on those lists. Remember, this was back in 2009. There weren’t really many sophisticated OSINT tools back then, so most findings resulted from simple Google queries.

One of the entities I looked at was the Mechanical Construction Factory. Googling this led to millions of results, so I narrowed it down by adding quotation marks: “Mechanical Construction Factory”. My next step was looking for this search term in specific filetypes. PDF or Powerpoint documents have the tendency to contain more relevant information than your average webpage. Adding the filetype-operator in Google led to some rather interesting results.

For example, the Greek Exporters Association (SEVE) posted monthly spreadsheets of tenders originating from Syria. These lists contained information on who requested the offer (including addresses, phone numbers and email-addresses), as well as goods they were seeking to acquire.

1

In order to find all tender spreadsheets on this page, I again used Google dorks. Combining the site-operator with the filetype-operator brought up all the PDFs saved in the 2008 directory. Since I only wanted to look at the PDFs for Syria, I used Google Translate to obtain the Greek spelling of Syria, as each spreadsheet had this somewhere in the document. The final query looked like this:

2

I now had a long list of Syrian companies that had requested to purchase goods from Greece. Not only that, multiple companies used the same phone numbers, so I could assume that they were linked to each other in some way. I recall finding one or two companies that were linked to a sanctioned company by a phone number and that weren’t listed themselves.

Playing around with Google dorks had me find plenty of interesting material to go through. While I can still reproduce the example mentioned above (just try it yourself), the most interesting finding in this case is unfortunately lost.

Back then, Turkey had a government organization named “Undersecretariat for Defence Industries”. The Turkish abbreviation of this was SSM. The SSM-website doesn’t exist anymore, as the organization was renamed and restructured in 2018 (as SSB). This organization posted roughly 150 scanned original tenders from Syria on their website. While not directly accessible through a dedicated page, using the Google dorks had them appear in my queries. These documents contained phone numbers, addresses, signatures and seals that were stamped on the paper. Apparently, they were sent to Turkey in hardcopy or scanned and then sent electronically.

Keep in mind, I did all this at home. This was my hobby and not related to my actual line of work. I was a SIGINTer, not an OSINTer at work, tasked with a completely different area of operations. However, these original documents seemed like something my colleagues working on Syria would also be interested in. I took an example of one of the tender documents to work one day and showed it to the guys at the Syria desk. They could not believe that I had just found this online. Some of them where even convinced that I had access to their data and pulled it from there. I ended up directing them to all the documents I had discovered on the aforementioned Turkish site and they proved to compliment the knowledge the Syria desk already had.

While writing this article, I tried to find the those documents using the Wayback Machine, but as I previously mentioned they weren’t actually located on a site that could be easily accessed. So, they unfortunately weren’t archived. I went through the complete site map in the Wayback Machine with no luck. For those of you who don’t know this function, try it out. It is great to get an overview of the structure of a historic webpage.

3.png

In 2009, many people underestimated the power of OSINT. In 2019, I don’t think many people will make that mistake again. No fancy tools were needed back then, just some Google dorks and perseverance to manually go through hundreds of PDFs. Although things have changed in the OSINT world and continue to change as we move along, I am sure there is still plenty of juicy information that can be found on the internet by just mastering the use of Google operators. Happy hunting, fellow OSINTers!

Matthias Wilson / 27.09.2019

Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.

1

Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.

2

Tapping ‘find contacts’ will show the amount of phone numbers that are linked to  TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.

3.png

If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.                                       4.png

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.

6

There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!

7.png

Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

Matthias Wilson / 13.09.2019

 

Unravelling the Norton Scam – Final Chapter

Gotcha! We found out who is responsible for this massive scam. Using OSINT and social engineering we tracked down the company behind the Norton Scam.

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Chapter 5 – Mistakes on social media

Chapter 6 – Tracing ownership

Final Chapter – Putting the pieces together

Time to finally unravel the Norton scam. Sector and I have decided to conclude our investigations and put the pieces together, after spending countless hours working on this case. Every time we thought we had figured it out, new information was found, taking us down another rabbit hole. Sometimes we spent days following a lead, just to find out that it wasn’t related to our case at all. As with most investigations, we were not able to solve all mysteries, but we are pretty sure we identified the company and some individuals behind this massive scam scheme.

In the last chapter, we pointed out how everything led to specific Indian phone number (+91.9540878969). This number was used to register many of the domains we were looking into. Once more, I decided to make some phone calls to India. I found out that the number belongs to a web design office. The first four phone calls were answered by different men who did not understand English, so they hung up on me. My fifth phone call was more successful. I got a hold of a woman named Priya and told her that a friend of mine had recommend them and that I was looking to have a website set up for me. I had called the right place and I would need to speak to her boss, Priya explained. I also mentioned that the site was to be used as a scam site to obtain credit card data. This too was possible according to Priya. Soon afterwards I had a conversation with the boss, who remained nameless. If I was willing to pay roughly 150$ on PayPal, they would set up the site I needed. With these phone calls, we have proven that the web design office was responsible for setting up the type of scam sites that we have seen throughout our investigations.

1

During our research, we also came across a site which offered web design services to US customers and to which we had actually found legit websites they had created. This is something very common: using a US frontend to sell IT-services that are performed in India. So, not everything the team did was illegal or scam-related.

2

In order to promote the scam sites, another team was responsible for search engine optimization (SEO). The SEO team was most likely also located in the offices of the web design team, probably under the same leadership. Their job is to flood the internet with backlinks in order to promote the scam sites. So far, we have found more than 20,000 entries for this cause. From Facebook posts, to Medium blogs, to comments on non-related webpages; a large variety of backlinks were created in the past year.

3.png

As mentioned in chapter 3, the purpose of the scam is have the victims call one of the tech support phone numbers. Thus, a team of call center agents is required. Remember how the scam works? If an unsuspecting victim calls the number, they provide ‘assistance’ by obtaining remote access to the victim’s computer. In some cases malware is installed, in other cases they ask for credit card data in order to bill the customers for their service.

4.png

These call center agents were hired by a company named 4compserv, which is located at an address that was also used to register some of the identified scam domains. We suspect this is root of all evil, the company behind the scheme. Or at least some employees of the company, since we have also found evidence of 4compserv conducts legal business as well.

5.png

More evidence came up, which proves that the web design office and the call center are definitely related. Shortly after I had spoken to the boss of the web design office, I received a phone call from the number linked to the call center (+91.97117613). Unfortunately, I missed the call and haven’t been able to reach them ever since. Furthermore, one of the scammers I had personally texted with recently updated the CV on his website. Have a look at his current jobs:

6.png

While there are still some questions to be answered, our research has enabled us to have an overall understanding of the network and the techniques used to run their scam, as well as identifying the company most likely behind this scam: 4compserv in Noida, India.

7.png

Along the way, we would often stumble upon funny facts. Some of the scam developers were just so sanguine, they didn’t want to obscure their tracks. Such as the preferred use of the name ‘Nancy Wilson’ to register domains or create sock puppets. The original websites the scammers had set up were very crude, now it seems they are using nice looking WordPress templates, including chatbots. Usually, the chatbot would ask for a phone number, so the scammers can call back. And guess who you would be chatting with on all of these sites? Good ol’ Nancy!

8

We’re done! We managed to find the perpetrators behind all this. What started with a sock puppet on Medium led to unravelling a largescale scam network, targeting unsuspecting victims seeking tech support. We hope that our project may help counter the threat originating from this specific scam and raise awareness for similar schemes. Also, thanks to many of our readers for sharing the posts from this series on Twitter and LinkedIn, ultimetely ranking the articles higher and higher on Google. Using OSINT and social engineering to enable counter-SEO against the scammer’s massive SEO effort!

Now it’s time to relax a bit…before we start the next awesome project!

Sector035/Matthias Wilson – 25.08.2019

We explicitly decided to keep the disclosure of personal information on the investigated individuals to a minimum in these blog posts. However, the complete information gathered is available to law enforcement and/or the companies targeted by this scam upon request.

Unravelling the Norton Scam – Chapter 4

What are backlinks and how are they used in the Norton scam? Our OSINT investigations lead us into the world of SEO.

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Our project started with a fake profile on Medium, which led us to several scam websites claiming to provide tech support. While the total number of these sites hasn’t risen much over the past months, entries promoting this scam on blogs, social media profiles and in comments on other websites have drastically risen. We see this as a crude search engine optimization (SEO) attempt.

Throughout the investigations we found individuals specializing in SEO, who where also likely linked to the network we were tracking. One of the sites that popped up in our search was yahoophonesupports(dot)com. Unlike previous fake sites that used Indian addresses and fake English-named personas, such as Nancy Wilson or Steven Dalton, this one was registered by someone named Jiya with a real looking email address. We had narrowed down our search to the city of Noida in India and the phone number used to register the site was definitely linked to our scam network. While most names used to register domains clearly came from fictitious peoples, maybe this was one was real.

1.png

Searching for the name on Google led to a result that fits the picture: Jiya from Noida offering SEO services.

2.png

Jiya mentions backlinks and blogger outreach, something we have seen in our scam as well. Let me explain the concept of backlinks, also known as inbound links. A backlink is a link on page A referring to page B. Most search engines interpret backlinks as votes on the popularity of a website. So, the more backlinks that lead to page B, the more popular this page seems and thus it will be rated higher in search results. The easiest way to create cheap backlinks is using free blogs, for example Medium. Googling the phone number used in this scam, we come up with over 1.000 Medium posts and sites, each also containing the link to one of the fake support sites, such as nortonhelpus(dot)com.

3.png

We are not only seeing this on Medium, but across many platforms. The amount of backlinks created clearly indicates that we are dealing with a large team of people, as this is probably not possible by one person or a small team alone. The number of search results for the phone number shown above has risen from 4,000 in May to about 21,000 this week and is still rising!

Of course, most posts come from obvious sock puppets, created with fake names and stolen profile pictures. Here’s Brad Pitt, alias James Rocky, offering tech support.

4.png

Once these sites are set up, clicking on the links can be automated, so that the target website (in this case all-emailsupport(dot)com) receives traffic, basically boosting its search index rating. The scam network is not expecting to generate any phone calls or support requests from these obviously fake Medium sites, these are just used in the SEO process for the actual scam site. We have been seeing these SEO-enablers on Twitter, Issuu and basically any platform that allows you to post information “quick and dirty”.

During our project we also looked at Google Trends, to figure out where the main targets of this scam were likely located. Obviously in the US, as the main tech support phone numbers were US toll-free numbers. However, we also noticed a British phone number. Google Trends allows you to look up search terms and see the interest over time and the region of interest for that specific search term. We were curious to see if any notable searches on one of the scam topics was googled in the UK often. We checked “activate Norton”, since this was one of the main services the scam network was allegedly offering: activating an expired Norton account.

5

Sure enough, the main regions that googled this term were the US and India. The US is obvious. This is the market the scammers are targeting. But why does India rank higher? One explanation could be testing the search term during the SEO-process. Coincidently, some of the peaks in the interest over time relate to time periods in which new fake sites were created. No notable searches were seen coming from the UK.

As mentioned before, most of the bogus blog posts were created really sloppy, as their sole purpose was to generate backlinks. We also found several sites linked to this scam that were apparently selling software. A lot of these sites were created using predefined templates, in some cases showing the shipping time or the general location on a map.

6

Apparently, the creator of this site had his location (likely based on a geolocation through Google) automatically added and didn’t bother to change it before putting the site online. In any case, he achieved his goal: A backlink to a scam site.

Now that we’ve learned how this scam uses SEO to promote their wrongdoings, is there anything that can be done to effectively tamper this scam network? How about Google, Bing, Yahoo and other major search engines take any site off their listing that features “+1-844-947-4746”.

Except ours, we’re the good guys!

Sector035/Matthias Wilson – 11.08.2019