Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.

1

Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.

2

Tapping ‘find contacts’ will show the amount of phone numbers that are linked to  TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.

3.png

If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.                                       4.png

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.

6

There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!

7.png

Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

Matthias Wilson / 13.09.2019

 

Unravelling the Norton Scam – Final Chapter

Gotcha! We found out who is responsible for this massive scam. Using OSINT and social engineering we tracked down the company behind the Norton Scam.

Chapter 1 – It all starts with a bad sock puppet

Chapter 2 – The Art of OSINT

Chapter 3 – What’s the big deal? And who’s to blame?

Chapter 4 – The more, the better

Chapter 5 – Mistakes on social media

Chapter 6 – Tracing ownership

Final Chapter – Putting the pieces together

Time to finally unravel the Norton scam. Sector and I have decided to conclude our investigations and put the pieces together, after spending countless hours working on this case. Every time we thought we had figured it out, new information was found, taking us down another rabbit hole. Sometimes we spent days following a lead, just to find out that it wasn’t related to our case at all. As with most investigations, we were not able to solve all mysteries, but we are pretty sure we identified the company and some individuals behind this massive scam scheme.

In the last chapter, we pointed out how everything led to specific Indian phone number (+91.9540878969). This number was used to register many of the domains we were looking into. Once more, I decided to make some phone calls to India. I found out that the number belongs to a web design office. The first four phone calls were answered by different men who did not understand English, so they hung up on me. My fifth phone call was more successful. I got a hold of a woman named Priya and told her that a friend of mine had recommend them and that I was looking to have a website set up for me. I had called the right place and I would need to speak to her boss, Priya explained. I also mentioned that the site was to be used as a scam site to obtain credit card data. This too was possible according to Priya. Soon afterwards I had a conversation with the boss, who remained nameless. If I was willing to pay roughly 150$ on PayPal, they would set up the site I needed. With these phone calls, we have proven that the web design office was responsible for setting up the type of scam sites that we have seen throughout our investigations.

1

During our research, we also came across a site which offered web design services to US customers and to which we had actually found legit websites they had created. This is something very common: using a US frontend to sell IT-services that are performed in India. So, not everything the team did was illegal or scam-related.

2

In order to promote the scam sites, another team was responsible for search engine optimization (SEO). The SEO team was most likely also located in the offices of the web design team, probably under the same leadership. Their job is to flood the internet with backlinks in order to promote the scam sites. So far, we have found more than 20,000 entries for this cause. From Facebook posts, to Medium blogs, to comments on non-related webpages; a large variety of backlinks were created in the past year.

3.png

As mentioned in chapter 3, the purpose of the scam is have the victims call one of the tech support phone numbers. Thus, a team of call center agents is required. Remember how the scam works? If an unsuspecting victim calls the number, they provide ‘assistance’ by obtaining remote access to the victim’s computer. In some cases malware is installed, in other cases they ask for credit card data in order to bill the customers for their service.

4.png

These call center agents were hired by a company named 4compserv, which is located at an address that was also used to register some of the identified scam domains. We suspect this is root of all evil, the company behind the scheme. Or at least some employees of the company, since we have also found evidence of 4compserv conducts legal business as well.

5.png

More evidence came up, which proves that the web design office and the call center are definitely related. Shortly after I had spoken to the boss of the web design office, I received a phone call from the number linked to the call center (+91.97117613). Unfortunately, I missed the call and haven’t been able to reach them ever since. Furthermore, one of the scammers I had personally texted with recently updated the CV on his website. Have a look at his current jobs:

6.png

While there are still some questions to be answered, our research has enabled us to have an overall understanding of the network and the techniques used to run their scam, as well as identifying the company most likely behind this scam: 4compserv in Noida, India.

7.png

Along the way, we would often stumble upon funny facts. Some of the scam developers were just so sanguine, they didn’t want to obscure their tracks. Such as the preferred use of the name ‘Nancy Wilson’ to register domains or create sock puppets. The original websites the scammers had set up were very crude, now it seems they are using nice looking WordPress templates, including chatbots. Usually, the chatbot would ask for a phone number, so the scammers can call back. And guess who you would be chatting with on all of these sites? Good ol’ Nancy!

8

We’re done! We managed to find the perpetrators behind all this. What started with a sock puppet on Medium led to unravelling a largescale scam network, targeting unsuspecting victims seeking tech support. We hope that our project may help counter the threat originating from this specific scam and raise awareness for similar schemes. Also, thanks to many of our readers for sharing the posts from this series on Twitter and LinkedIn, ultimetely ranking the articles higher and higher on Google. Using OSINT and social engineering to enable counter-SEO against the scammer’s massive SEO effort!

Now it’s time to relax a bit…before we start the next awesome project!

Sector035/Matthias Wilson – 25.08.2019

We explicitly decided to keep the disclosure of personal information on the investigated individuals to a minimum in these blog posts. However, the complete information gathered is available to law enforcement and/or the companies targeted by this scam upon request.

Unravelling the Norton Scam – Chapter 1

If you have problems with Norton 360 or Norton Antivirus, please do not call +1-844-947-4746. You might end up with malware on your computer.

This is the start of a series of blog posts revolving around a massive scam network that targets individuals looking for tech-support regarding various software products. The scam mostly starts with fake Norton 360 and Norton Antivirus sites, however, has also been linked to fake Microsoft support sites and fake Facebook support sites (just to mention a few). We dug into this network, trying to identify the perpetrators behind it and used lots of different OSINT techniques over the course of several months. Every once in while a little social engineering came in handy, as we also contacted some of the suspected perpetrators directly. Our investigations are not over yet, there is still more to be found, but let us take you along this fascinating journey of online investigations.

Chapter 1 – It all starts with a bad sock puppet

Do you have a look at the accounts that connect with you on Twitter or Medium? I do, and so does my buddy Sector035. In late April 2019, a new person followed Sector’s blog on Medium and he had a look at this new follower.

1

A weird URL? A nice picture of a female named Pierre? This profile was begging for further research. The URL led to a tech-support site that listed the following phone number: +1-844-947-4746. Sector didn’t even wait to check this number on his computer and immediately googled it on his cell phone. I guess that’s what you call OSINT curious.

2.jpg

It turns out that this phone number was listed on numerous obviously fake sites and blog posts offering tech-support. Out of curiosity, we decided to take a closer look at some of the sites, in order to see how they were connected to each other and possibly find out who was responsible for creating them. At the time we had no idea how time consuming and big this project would be! Among the sites using the phone number, we initially concentrated on these four:

3

Each site looked worse than the other. Horrible design, bad English and next to the aforementioned phone number, they all used the same address:

4

While Sector started to check the WHOIS information using DomainBigData, GoDaddy and Whoxy, I looked into to Google Street View and did a little reverse image searching on the photos. It turns out that all the photos used were either stock pictures or stolen off other people’s social media profiles and the address itself was in an inconspicuous housing area. Googling the address led us to more suspicious sites, some of them using a different phone number. Among these was one belonging to a company allegedly called Energetics Squad LLC. No records existed for such a company in the State of Illinois, nor in any other state. Keep this company in mind, as it will show up in a later blog post as well!

The WHOIS check didn’t always provide the exact name of the registrant, but we found another similarity: most of the websites had been registered around March 13-14, 2019 in India.

5.png

Using DNSLytics, Sector also checked the Google Analytics ID and found that the sites were not only linked by all of what was described above, they also shared a common tracking code (UA-code). At this point, it was time to start linking the information in Maltego.

6

What started with a bad sock puppet, led to googling information and from there to a deep dive into domain data, Google Analytics research, as well as pulling corporate records from official state registries. The hunt was on and upon finding all this correlating data, we couldn’t just let go and decided to push forward.

Soon after, we started collecting information on an actual suspect and at a certain point engaged in an interesting conversation with this person. So, stay tuned for the next chapters of our fascinating journey!

Sector035/Matthias Wilson – 31.07.2019

Вы понимаете? OSINT in Foreign Languages

It just takes one click in OSINT to land on a website in a foreign language. Investigations don’t have to stop here, if you have the right tools.

In today’s interconnected world, OSINT investigations lead us to foreign language content quite often. This does not mean we have to stop here. Thankfully, a broad variety of tools can support us in translating the content we find.

Before getting into specific tools, I have learned that you will receive the best results if you define the input language manually. Most tools can autodetect the input language, but if you’re working with short sentences or even single words, this might not function reliably. Sometimes translating very long sentences will also produce awkward results, splitting a long sentence into components could help in this case. That said, let’s have a look at some tools I use during my investigations.

First off, I would like to point out DeepL, a German company that trains AI to understand and translate texts. When it comes to translating content in German, English, Spanish, Portuguese, Italian, Dutch, Russian and Polish, DeepL has proven to be more accurate than other tools. You can copy and paste a text or upload a document to have it translated. I let the platform have a try at an excerpt from one of the older Keyfindings’ posts in German.

1

The next must-have is Google Translate. This extension should be installed in any browser to easily decipher pages on the fly. Next to translating complete webpages, it will show you the original text by hovering the mouse over that passage. In some cases this can be helpful, especially when Google tries to translate names of people, places or companies as well.

2.jpg

What if neither DeepL or the Google Translate extension work? Maybe you’re on a page that does not use the Latin alphabet, e.g. Chinese or Arabic, and some of the content is not ASCII-coded. This happens quite often when looking at Asian websites. Another case might be handwritten information in such languages. One of my favorite tools for this is on the Google Translate website itself. Next to the obvious copying and pasting of text, as well as uploading documents, Google allows you to use a foreign language virtual keyboards to input information.

3

However, this isn’t always helpful. In Arabic, letters vary in shape depending on their position in the word. This makes it hard for someone not proficient in Arabic to use the keyboard. Luckily, there is a workaround!

The Google Translate page allows you to draw what you see and based on that it will make suggestions and translate them. This works really well with any character-based writing, such as Chinese, Korean and Japanese, as well as with other languages that don’t use the Latin alphabet (Russian, Hindi, etc.). I have added a quick video to demonstrate how it works.

As an alternative, I looked into Windows Ink on the Microsoft Translator, but Microsoft currently doesn’t offer an Arabic handwriting package. However, it does offer Russian, Chinese, Hindi and several others character-based alphabets and languages.

When trying to translate subtitles in Videos, there is a workaround that was shared by Hugo Kamaan on Twitter, showing how you can use your cell phone camera to receive instant translations.

There are definitely more tools out there, so feel free to add anything you use frequently or that you think is missing in the comments.

Я надеюсь, что это было полезно для вашего расследования OSINT!

Matthias Wilson / 21.07.2019