Never be too careless with what you post on social media. It might come back to haunt you one day and in the case of our investigations it sure led to some key findings on the scam network!
Chapter 1 – It all starts with a bad sock puppet
Chapter 2 – The Art of OSINT
Chapter 3 – What’s the big deal? And who’s to blame?
Chapter 4 – The more, the better
Chapter 5 – Mistakes on social media
The ultimate goal of our investigation was to find the people behind the scam. So far, we had found fake personas and most of the WHOIS data was misleading as well. Of all the people we came across, there was still a reasonable amount of doubt that they were actually involved in the scam, or we couldn’t reveal their true identities for sure. In our hunt for the truth we also turned to social media, hoping to find someone connected to our case.
As previously mentioned, most names used to register websites were clearly fake. Nancy Wilson and Steve Dalton were among the favorites. However, we did notice that the majority of sites had Indian addresses in the WHOIS data. In particular, two addresses reoccurred often: one in Noida and one in Gurgaon (also known as Gurugram). We decided to find Facebook profiles that had visited both cities and that were also linked to East Peoria, the city in Illinois that the scammers posted on their websites. Maybe someone was careless enough and had checked into all three places. Of course, this was done a while back when the Facebook graph search was still working.
Jackpot! While we hadn’t expected to find anything on this wild query, one Facebook profile matched our search. This person, named Baljeet, was a very active social media user and constantly checked into places on Facebook. Among these check-ins were Noida, Gurgaon and East Peoria.
Intelligence collection always feeds on mistakes your adversaries or intelligence targets make, and Baljeet committed a major blunder here. Soon after, we found ourselves digging into Baljeet’s profile. It turns out, that he had frequently visited locations (marked in blue) in the vicinity of the office building (marked in red) which was found in the WHOIS data of the scam sites and in which we suspected the team of developers behind these sites to be located.
At the same time, we discovered that Baljeet registered a website with his full name and actual email address, which we had found in his Twitter timeline. This website was providing web design services to customers in the US. And guess what? The site was using the same address in East Peoria and also the same phone number as the scam sites! I decided to have a little chat with Baljeet on Facebook to confront him with this information.
The conversation went on for a while and Baljeet kept coming up with excuses and dodgy information on why his website was using the same address and phone number as the scam sites. After our talks, he actually took down both for a while, but the address is back on the website today. To us it is clear: Baljeet is definitely involved in this scam. You don’t just sit in India and coincidently use the same address (in the middle of nowhere) and phone number as multiple scam sites on your own site. You don’t just coincidently happen to work in vicinity of addresses we have attributed to the scam sites.
While looking into other social media profiles used by Baljeet, we came across other indicators that fit the overall picture. A couple days ago, he proudly posted the following on Twitter: A certificate of an advanced Google Analytics course (my browser was set to German when I opened the link).
As you can see, the information we won from social media research led to us a prime suspect in our case. Not only did we have a real name now, we also had a unique username, a pattern of life and enough information to verify his involvement in our scam.
Our social media research also led to many more key findings. One of the phone numbers we found in the scam sites’ WHOIS data was also posting job advertisements on Facebook.
A call center agent providing support to activate Norton? That’s exactly how our hunt started. Looks like it is all coming together! The information we gathered throughout our social media research was invaluable and had us dig even deeper into WHOIS data and source code from the scam websites, leading to unravelling the whole network behind it. But that is something for the coming chapters.
Sector035/Matthias Wilson – 15.08.2019