If you do a lot of web-based OSINT research like I do, you’ve most likely conducted username searches using a powerful tool like https://whatsmyname.app that scurry out onto hundreds of websites in search of profiles bearing the username you’re interested in. In doing so, you may have come across CashApp user pages that usually bear a few common things: a cashtag (username), a display name, and most of the time… a seemingly useless QR code.
Or is it?
You see, while it is the case sometimes that the account holder hasn’t actually populated a profile photo, and therefore just displays a QR code, recently I noticed that the web version of profiles seems to display QR codes even when a profile photo is actually present for the mobile version of the account. Finding the photo (if one exists) from the web is quite simple if you know to look for it, and I’ll give you 2 different ways of doing it…
Note for the extra tenacious investigators out there: While what I’m going to show you works on the CashApp website, the thought process and application may be something you find useful elsewhere in your work too. Be curious, and see where it leads you!
Option 1 – Get Your Hands Dirty
The first, and more manual way, is to go to a profile page like https://cash.app/$JaneDoe (I made this one up so we’re not actually showing someone real here), and drill down in the source code of the page to the place where the profile photo is hiding, should one exist. I’m going to explain this as a Chrome user by the way, and yes, I am well aware of all the “Chrome sucks!” drums that some people like to beat for anyone that will listen.
Start by right clicking somewhere on the QR code and selecting “Inspect” from the menu of options that appear. This will open your browsers developer tools so you can have a look under the hood. The line you’re dropped on will be just a few above the one you’re actually looking for. Look down a few lines for the words:
<div class="mobile-only">
Expand this section by clicking the little triangle to the left of the line and keep doing this for the subsequent drop-downs that appear until you see (if one exists for the profile you’re on) a line that reads:
Now you can right click on the hyperlink for where the image is being delivered from in CashApp’s content delivery network (CDN), and open it in a new tab to view! Hovering over the hyperlink will show you a preview as well. It looks like this:
Great success!! (just kidding, I hated the movie Borat)
Option 2 – The Easy Button
I’m willing to be that several of you are smart cookies and probably thought of this second option as soon as you started reading the first one and saw “mobile-only”, but for the rest of us who just mash keys for a living, perhaps it wasn’t super obvious…
Open your developer tools using “Inspect” or a hotkey, then leverage that little icon near the top left corner of those developer tools to toggle your browser right on over to the mobile view. (This is something we use in OSINT all the time when we know that the display and/or functionality of a site will change to our benefit. I’m looking at you, Instagram follower lists!) Simply clicking that little button takes us right on over to the mobile view for CashApp and immediately confirms the presence of that image we’re looking for, without the need to invest our hard earned free time for the extra clicks!
Use this “mobile view” method first, and then take all the time you’ve saved to instead click share on this blog post. #shameless
I received this email to my business back in 2022, and it landed directly in my spam folder, exactly as it should have…
It’s a scam so old it has become cliché in much of the world. The overseas millionaire, perhaps a Prince, or in this case a rich & dead businessman whose living proxy has miraculously plucked me from the masses of all the email-owning people on earth to be the sole benefactor of an oddly specific fortune! What luck! I mean, never mind the fact that I can’t even conjure up enough luck to win the monthly business card raffle at my local Subway restaurant, looks like things are finally turning around for me!
You ever wonder who’s on the other side of one of these emails?
Well I did, and although it seemed like an impossible feat at the time, I decided to take a swing at exposing the fraudster on the other end of the line and see what kind of end game they had in mind for me, their hapless and less privileged victim. What resulted was a wild OSINT and social engineering ride I’ll never forget!
To start off, I take a moment to define a goal. While things may change as we move along, at the outset I know that I want to elicit information from the scammer that may help me identify them in real life. Ok great, how do I do that? I need to think of the kinds of people the scammer expects to engage with when he or she is successful. Not very savvy? Perhaps unwise about technology? Maybe greedy? I’ll definitely need to play a role in order to accomplish my goal and I figure the more I act like like what they’ve experienced from prior victims, the more likely it is that I might draw something out of them.
How will this all go? Well I don’t know quite yet.
Although I am almost completely certain that I’m dealing with a freshly created throwaway email address, I can’t just assume they’ve not made some kind of mistake and not do the research on it. So I check all the usual boxes to start: run the email through breach data tools, https://haveibeenpwned.com, https://emailrep.io, Google, check the username portion in https://whatsmyname.app, etc etc etc. If you’ve spent any time doing OSINT work, you know those angles quite well, but if not, I would encourage you to check out my prior blog on pivoting off an email address HERE.
All of that was a bust, as expected. Now I know I’m going to need to start the active engagement at this point, so I fire up the VM, open a sock-puppet Gmail, and get to work. I’m not going to email them back from my work account and expose anything about me so this will be done under my favorite alias. (Bonus points to anyone who recognizes where the name Tommy Gemcity comes from) Hint: It may be spelled differently than the actual origin.
So I’m basically cold-emailing them from a new account they’ve never seen before, but given the fact that I’m sure they spammed countless email addresses in their quest for a victim, I doubted they’d notice at all. I was right. You might also notice my email signature where I’m actually taking a stab at (harmlessly) phishing them right back. The Treasure Hunter’s Club? Does that sound interesting enough to click on the link in my signature? If it did, their IP address would be instantaneously captured before they were redirected to a completely normal and harmless website I’ve pre-programmed to be the final destination. How you might ask? There are a number of sites and tools who shall remain nameless, that can help you set something like this up and may even let you choose from some pre-made URLs or use a link shortener to help make your IP-grabbing link look just a little bit more legit. (Blah, blah, don’t break laws, blah, blah, don’t violate policy, blah.
Now I will admit I started out a bit greedy here, and at this early stage of the game, our adversary was too wise to click on my tricky signature link. Let’s carry on.
A few days pass, and I receive a reply with good news! All they need in order to transfer my millions is: my full name, my address, my phone number, and a copy of my passport or ID. AMAZING! Suddenly though, I get cold feet. You see, I’m a little leery about giving out my information online. Or so I say…
I’m hoping that my need for reassurance will result in the scammer giving me something I can work with. Let’s see what they come back with…
BRILLIANT! Turns out they had some concerns about me as well, but I’ve now proven myself the worthy recipient of this “legal and risk free” fortune, which is coincidentally my favorite kind of fortune! Let’s have a look at these OFFICIAL documents:
Now I’m no bank fraud investigator but I could tell these documents were authentic right when I noticed they used at least 6 different kinds of fonts. And while I’ve never actually seen what kind of paperwork you have to do when you drop that kind of coin in the bank, I definitely image there being lots of stamps and signatures, so check and check! Looking good to me! [rolls eyes]
The scammers are still waiting for my personal information, so I oblige, providing them with the address and phone number for the largest apartment complex in the United States and of course a link that will take them directly to the web page of Google files, while conveniently grabbing whatever IP address they might be using at the time. Yes, I’m trying that trick again. What have I got to lose?
I’m really starting to wonder though… what is their end game here? It can’t be just simple identity theft, can it? Perhaps more will reveal itself as we carry on.
As you can see, I’m being passed off to a new and much more official sounding email address. I will fast forward over this part of the story because it involves multiple email exchanges with them assuring me they are ready to transfer the money but need my ID photo, and me fumbling through various reasons why I can’t manage to attach a simple JPG to my email, trying to keep them on the line to expose something useful.
But in the meantime, something amazing happened… they clicked the link!
I’ve got an IP address to work with! Of course, I’m not holding my breath that this is going to be someone’s actual IP and not one of the zillions of easily accessible VPN IPs available to literally anyone with even the slightest ability to Google, but I’m still going to check…
I see that the Internet Service Provider (ISP) is Orange, from the Ivory Coast area in Africa, and I check it in several tools like https://maxmind.com, https://ipinfo.io, and https://dnslytics.com to see what they can tell me. All say Orange is the ISP, general area is Abidjan in Cote D’Ivoire, and now I’m seeing it’s negative for VPN/proxy/TOR/relay. This is looking really promising!
One other thing I like to look at for someone’s IP is a site called https://iknowwhatyoudownload.com, which checks for torrent download and distributions. In many parts of the world, this is still popular and while it might not offer me any value in terms of identifying someone, I can use this to get a sense of whether an IP might be from a VPN or not by looking at the volume. Many VPN IPs, when checked through this site, will reveal a very long list of torrents (often X-rated), that would be more than a typical household would consume on its own. In this case, the IP in question had just a handful of results for some TV shows, not what I would expect from a commercial VPN IP.
You might be saying to yourself, “all of this is great, Griffin, but it’s not getting us any closer to identifying someone!” You’d be right. Without a legal order or some kind of special access, finding the person behind that IP isn’t going to happen. Or is it?
You see, we have one hail mary left to throw here, and its our good old friend breach data. I call it a hail mary because it has only worked for me a handful of times over the years with IPs due to a number of factors around how they can be changed as well as the move to IPv6 from IPv4, but it’s still something worth checking. As it turns out, this IP address HAD been part of a data breach, and it was connected to someone’s account. Someone we’ll call “PB” from here on out.
This is (potentially) great news! I say potentially because there are a ton of asterisks that should accompany information like this. For one, it does not put this person behind the keyboard in my situation. For another, we do not know if this IP address from the breach is still with this person. The list goes on, but for the moment we’re going to call “PB” a person of interest and see where things go.
Now we get to the fun part, OSINT! We’re working with an email and a name, and we want to see who this person is, what they’re about, and where they are in the world.
Finding a foothold in this person’s online life was a challenge at first, because they do not go by their (presumed real) “PB” name in social media handles, they go by a version of what I will call “Bright Man”. Here’s a little tip for you… I was able to locate a Facebook profile for this person by letting Google do the work for me, creating a Google dork to view results indexed from Facebook specifically that included parts of the “PB” name in the URL. Something along the lines of site:facebook.com "TERM1 AND TERM2". You see, a lot of Facebook users may start out an account using their full name, and then adjust the display name to something new like Mr Bright Man did, but they never change the URL (yes that’s a feature). So when John Smith starts a Facebook account at facebook.com/john.smith and then changes his display name to Jethro Gibbs, well his URL will remain unchanged. I can’t even count the number of times I’ve found someone’s Facebook account by just trying firstname.lastname in the URL, try it out sometime!
OK, so Mr. Bright Man is merely a person of interest here, and may very well be unrelated to the scam so I’m going to blur him out, but I will say he had quite the online presence to explore:
I was also able to gather up several phone numbers and email addresses from clues left in his online posts and videos, as well as determine roughly where he lives by geolocating a few of his YouTube videos. So now I’ve got a decent handle on who this person of interest is, should that become helpful down the road.
All the while I’m researching Mr. Bright Man there’s still one question burning in my brain… what is the scammer’s end game? Obviously, scams are for money, but so far the worst thing they’ve tried to do is get a copy of my passport, address, and phone number. Could they monetize that? Sure. Is it more work than just getting me to send them money somehow? Yup.
And just then, the answer finally arrives in my inbox. It’s a bit small to read in the picture below, so let me just spoil the surprise for you now… it’s an advance fee scam. I’m being advised that the account holding my $4.6M is a “suspense account” which requires reactivation by way of paying a fee before they are able to release the full funds. I am offered two options: 1 reactivate the account and claim the very substantial interest accrued for the fee of $1260, OR reactivate the account and forego the accrued interest for a smaller fee of $860. Classic!
What kind of a money-hating idiot would turn down hundreds of thousands of dollars in accrued interest just to save $400 on fees? NOT THIS SOON-TO-BE MILLIONAIRE!! Sign me up for that $1260 fee right away please and thank you very much!
Is this the end then? That’s really all there was? Well, no. I’m not ready for this to be over. Much like Ted Lasso, I know the end will come eventually, but I won’t let myself think about it being over until the last possible moment. Goldfish memory!
I’m going to take one more stab at getting information from the scammers and see where it leads. If I assess what’s happened, I know they want me to send them money, I know they must have a way to get that money, and I know that their banking information may reveal new clues for me, so I press on. I’m ready to send the money, just tell me where…
Ah crap! Thomas Smith??? That just screams obviously fake.
But wait.
Aren’t they expecting me to send them money to this account? So that means they intend to get it. There must be more to this that what I though. Maybe Thomas Smith is actually a real person. Maybe Thomas Smith is a victim as well! You see, there’s this thing called a money mule, essentially a middle person usually uninvolved in the actual scam who facilitates movement of the funds involved. In some cases they are tricked, in some cases coerced, and in other cases they may actually get a cut of the money for performing services like cashing out and sending the balance elsewhere. (Work from home job scams anyone?)
I need a plan. Finding a Thomas Smith somewhere in the world is going to be impossible without some other kind of information, so I play the helpless, bumbling victim angle in hopes of gaining something I can use. I tell the scammer that my bank won’t allow me to transfer the money despite my best efforts, but let them know that I do have access to PayPal and Venmo instead if only they’d be willing to provide an email address or phone number for me to look up their account. But will they fall for it?
More has been revealed! Let’s get to work on finding Mr. Smith, and seeing what he’s all about. First, we check the PayPal profile using the search by email feature of the mobile app and see what appears.
A face! It’s a start, and we still have the email. If you’ve read any of my other blogs, you know how much I love the https://epieos.com tool for researching email accounts. In this case, I find that the email is connected to a Google account for Thomas, and that Thomas has left a number of reviews of businesses in a fairly tight geographic area.
Using Thomas’ very common name, and some of the names of towns near the area where he left those restaurant reviews, I start hitting the Facebook advance search feature. Combining his name with various town names, it doesn’t take me long to find an account with a face that looks remarkably similar to the PayPal I was referred to by the scammer.
Success!! As I look more into Thomas’ life, I realize that he’s most certainly not someone wrapped up in an international wire fraud scheme, he’s most likely an innocent victim himself, either being preyed upon or compromised in some way. I’d like to see if I can locate his contact information or residence now, because I have every intention of passing him off to local authorities who can help him. I return to his online life in order to gather more information. Part of what I do is read the many different business reviews Thomas has written looking for clues, and I discover one for a church. This particular review leads me to believe that Thomas is very active at this church and I wonder if their social media may have other photos or information about him.
Bingo! I read on and find other posts mentioning him, explaining his background, and listing his family members including his wife by name. This is more than enough information for me to hit some people search sites like https://truepeoplesearch.com and begin researching the addresses. I locate an address that appears to be current, but just to be extra sure I Google for the County GIS portal in order to research property tax information on the property address. You’d be surprised how many US Counties have these kinds of sites and searches available.
Just the thing I was hoping for. Thomas and his wife are both still listed on the property, and through the people search sites I was able to gather information for them as well as locate additional social media. More than enough information for someone to make contact with Thomas and help him out of the situation he may stuck in. Elder scams are sadly quite prevalent, and often extremely detrimental to their victims who can unwittingly lose large sums of money in a short period of time before even realizing something is not right. My hope for a happy ending here is that someone can help Thomas, and I know just the folks to do it.
My findings get packaged up into a report, and despite the fact that I never actually proved that Bright Man was behind the scam, I provided more than enough information to the authorities to demonstrate what was occurring and compel them to at least help Thomas. This was all delivered to a friend at a US agency who deals specifically with these types of crimes and who happened to have a fellow agent and friend right in Thomas’ area that would follow up.
Wow, what a journey that was! By playing the part of a clueless victim, I was able to take a run of the mill scam email, elicit potentially identifiable information from a person or persons halfway around the world, and by utilizing OSINT I was able to put together a significant amount of intelligence on a person of interest, and most importantly identify and lead authorities to a likely victim who may have really needed help. I’d say all in all that’s a pretty impressive result!
Thanks for sticking with me till the end. I hope you enjoyed the story, maybe picked up a few things, and most importantly became just a little more aware of the dangers lurking out there online.
If you don’t spend much time in the r/Scams subReddit, you really are missing out. Aside from the never-ending landslide of scam examples to learn about… if you’re an investigator, it also means a never-ending landslide of research fodder! One such example presented itself to me the other day, when I read a post about someone helping out their mother, who had clicked on a Facebook advertisement that led her to purchase a steeply-discounted set of patio furniture from what she believed to be a legitimate site bearing a highly recognizable company name and logo. The site was called “Weeyfair”, and spoiler alert, it was definitely not legitimate. Best case scenario, she’s out the money she spent… worst case scenario, her credit card is compromised and her contact information landed her a spot in the Scams-R-Us rolodex for future engagements.
Anyway, I decided to do a little digging to see what I might find, and it quickly spider-webbed into a network so convoluted that I quit taking notes, and started making a visual graph just to try and keep it all straight.
ugly, but it tells the story
I’m going to run through some of the research methods I used, but first I need to make a couple things clear:
-I do not recommend that you visit any of the sites mentioned in this research, in fact, I strongly recommend that you DO NOT. -This is not an attempt at exhaustive research, there are so many different avenues to take when researching this kind of scam network, and if you have other ideas (and the time to run with them), then grab this torch and run like hell. I’m not exactly drowning in free time since I do this nonsense during the hours when I should be sleeping. -I am not saying that every string we pull here leads to nefarious people running scams, “legitimate” drop shipping is possibly mixed in and the court of public opinion is split on whether that’s right or wrong.
Now, let’s get to work…
To start off, we need to take a look at the very first lead we have, the site used by the victim. When I say look at it, of course I mean have someone else look at it and report back to us. As an older brother, I’ve been deploying this tried-and-true method of self-preservation for many years, and it’s helped me avoid everything from getting grounded to getting doused in skunk spray. So who can we get to look at a website for us and report back? One of my favorites is urlscan.io “A sandbox for the web”. Using this site, I can see where a link starts and ends up, any redirects, HTTP transactions, structurally similar sites and so much more. One thing I really like though… I can see a screenshot preview of what would be in my browser window had I not just sent my little brother over there to poke it with a stick!
For most of us, this is where the scam alert alarm bells would start going off. As you can see, this site is not only playing on the name of a widely-known furniture-selling website, it’s also visually impersonating a very well known retail chain (whose info I am obscuring… again, self-preservation). Most of you are probably already saying: I’ll take “Flags That Are Bright Red” for $200, Alex. Not everyone out there in internet-land would be suspicious at this point though, and that’s what these kinds of sites bank on.
So, I’m starting to get an idea of what I’m dealing with, but I want to see more before I get too close. I wonder if the Google machine has anything useful? When I head over there and give it some search params, I’m looking for any potential thread to pull. I search “weeyfair.com” and then I search “weeyfair” and then I search “weeyfair” alongside -site:weeyfair.com (to see all indexed content with weeyfair in it that does not include content from the actual site), and all of these things give me a chance to look around a bit more. I see the site has listings for various types of outdoor furniture, and they seem to have other site pages for things like a privacy policy (LOL), shipping policy, payment policy and so on. I start to wonder if they share any kind of contact information that I could research: a phone number, an email, a parent company or cross-linked website. I could continue on with adding more to my Google searches, but let’s try a different type of visual inspection that shows us more of the page.
One site I love to use is Dr. Fou’s pagexray. This site can tell some really interesting stories about the advertising tech & trackers being deployed on a site, it gives a larger screen shot, but most importantly for us right now… it nicely displays a list of all outgoing links from a web page for me to review. This can be extremely helpful when researching a site from a distance. In this case, I can see that the Weeyfair site has outgoing internal links to the other site pages, a bunch of product listings, and also external links to social media sites. Normally this is where I’d see someone linking to their social profiles but in this case, the links are simply to the homepages of each social site, probably left there from the website template being used, never having been changed to direct a visitor to a related profile. While it may seem like a swing and a miss, in reality it further adds to my pile of red flags because most legitimate companies are probably going to have that squared away.
I’m curious about some of the products for sale now, because who doesn’t love a deal that seems too good to be true?! I wonder if applying a bit of scrutiny to one of the listings will help us dissuade some of our less scam-conscious friends who might be victims of a site like this? I pick an item with a model name that could be unique to whatever company actually offers it for sale, and go out looking for a more reputable example of the $40 Damis 42.5″ Wide Tufted Oversized Accent Chair. Based on what little I know about accent chairs thanks to my mother in law, this price is either really suspicious or someone needs to explain the chair-shaped hunk of gold sitting in my living room. As it turns out, this exact item is offered by the much more well known site that this one attempts to impersonate… at 20x the price of Weeyfair!!! Red. Flag.
what’s the lowest you’ll go on the asking price?
I’m still exploring and looking for something I can exploit and pivot from, so now we’re moving on to another favorite of mine for visual website research… page2images. This is one of many webpage screen capture services out there, and I like it because not only is it easy to use, but it allows me to see either a mobile or desktop version of a site I’m capturing, which can come in handy sometimes. For the first time, I see something at the very bottom of the homepage that screams Pivot! louder than Ross Geller helping Chandler Bing carry a couch up the stairs.
A Gmail??? Come on now, scammers… you’re better than this.
What can we do with a simple Gmail address? Well, a lot actually. Most of that type of exploit is a story for another day though, and in this case we’re just going to rely on our old pal Goog’ to help us find some other websites that might have flaviodeby08’s contact info listed. A couple quick searches for “flaviodeby08” and for “[email protected]” start showing us that we’re dealing with more than just the Weeyfair site. Let’s explore…
For each new site indexed with this email in the contact area, I’m applying a similar process to what was described above, and seeing the same template site deployed over and over using different names: pasenstore, wayccop, and comsestore. Through further research, I can see that each of these sites are recently created, and seem to replace a prior set of sites deployed a month earlier, and others deployed prior to that. Some of these sites no longer exist so I’m checking cached versions from the google results, or I’m reviewing those junk “scam review” sites that pretend they did some research by auto-filling images and details from dodgy sites like Weeyfair, then delivering the result to you in the form of an advertisement-laden “report”. The one nice thing about these cookie-monsters is that they capture the contact information as it appeared on the page, and this leads me to another Gmail address to check: “[email protected]”.
Suddenly, the Weeyfair universe begins expanding rapidly as my Google searches for the various site names, email addresses, and so on allow me to connect the dots between dozens and dozens of pages deployed in recent months with the same format, the same suspiciously low prices, and the same evil intention. At some point while down this rabbit-hole I come up for air and I wonder to myself… gee Griffin, how many more hours could you spend on this if you started searching for contact phone numbers too? Off we go again, this time finding other networks of sketchy looking template sites displaying the same contact number, like a group of pages sporting the name “Venzkemall”. Here’s a look at how this part of the graph is shaping up…
Now I feel compelled to say that the farther away I was from the original site, the more often I found what appears to be potentially “legitimate” drop-shippers (don’t @ me with your views on this topic, please). Drop shippers are people who essentially take your order for a product they don’t own, then facilitate the ordering of that product for you at a slightly inflated cost. Some of these shippers might also leave you with sub-par products intending to either defraud you entirely, or knowing they can offer a partial refund, still making off with a profit. That’s just scratching the surface, and if you’re interested in the topic there are plenty of opinions out there, even people writing books and how-to guides designed to help you get your drop-ship side hustle on. Conversation for another day, over a beer perhaps.
Let’s get back to the fun. After all this digging I decide to shift gears and head over to Facebook. As we know from the Reddit post that started it all, the victim found themselves following a Facebook link to Weeyfair. I wonder if Weeyfair, or any of the dozens of other sites I’ve discovered, have a Facebook page? Turns out, most of them have several! Some are pretty bare bones, but others in the far-reaching spiderweb I’ve now found myself struggling in offer pivotable contact phone numbers, contact emails, images, and so on. If I’m really being thorough, I can look through their posts, see who like/comments/shares them, and dig til my little paws fall off. Not today, Satan. One great thing about Facebook pages for business is that you can view what’s called the Page Transparency information. This can tell you things like when they were created, where the site owners are based (or at least where their profiles are set up), what kind of advertisements are running from a page, and more. Look for a box like this when visiting one of these pages and see what you can learn.
Another thing I feel compelled to mention here… This research led me to find an obscene amount of websites masquerading as well-known companies of all kinds, selling goods of all types, on template sites with stolen imagery, brand names and logos any one of us would recognize immediately. Nothing new in the online world unfortunately. All I’m saying is that those represented here are not the only companies being copied, not by a long shot.
Alright, this story is starting to get a little long-winded, so let me summarize a few other investigative possibilities, if not to give you some more ideas, then at least to reduce the number of comments I’ll get from people trying to call out other things I “missed” looking into. Someone with no day job and the kind of free time I had before kids could go on and on here looking at code, images, sitemap, other site text, other search engines, other social media sites, WHOIS information, shared analytics IDs, IP addresses, certificates, victim reported contact information, the list goes on and on and on. I did some of those things, and never tried others. We could never hope to exhaust everything, but after staying up til 2am researching and putting this together, I can definitely say it exhausted me. The bottom line is, this scenario presented more than a handful of red-flag learning moments, that hopefully help you and your less-savvy loved ones stay safe while bargain hunting online. I’m hoping it also gave you a few new OSINT ideas for your future investigations.
Nobody wants to believe they’ll fall for a scam. Especially not any of you, my intelligent, savvy, and OPSEC-conscious friends!
Your radar is always on and carefully protecting your personal information, so you’d never click the link in that fortune-promising email, you’d never open an unexpected file attachment, and you’d certainly never send some stranger a document with your personal details on it, that’s inconceivable!! Or is it? What if there was a site where doing those types of things wouldn’t actually seem all that out of the ordinary? One where interacting with strangers and sharing personal information about yourself could lead to long-term gainful employment? What if the profile on the other end of that message looks polished, with a long work history of instantly recognizable company logos, a top-tier college, and a mountain of mutual connections and groups? One with a real, human, smiling face that syncs up perfectly with the nice, tidy appearance of the rest of the profile. Maybe it looks something like one of these…
Several of you are already closing this page and running to check your LinkedIn connections, which normally I’d say is probably a better use of your time than reading anything I wrote, but hang on her for a few minutes and see what else you might pick up.
Now, despite what I’m sure you all assume is my day to day online life: tidal waves of adulation, throngs of adoring fans, and a never ending barrage of “likes” and “follows”, you might be surprised to know that a handful of similarly-structured connection requests on LinkedIn would catch my attention. Several months ago, I began to receive request after request to connect with various Human Resources Specialists, Talent Acquisition Consultants, and Senior Staffing Specialists. At first glance, this could have been quite exciting; I mean hey, I’m finally getting noticed, right?! Do I need to go check my WordPress stats? Nope. Immediate red flag, I know better than that.
A quick glance down the line and I instantly noticed one thing… the profile photos all seem like GAN images (Generated Adversarial Network). Specifically, after testing with Sensity.ai, they’re StyleGAN2. If you haven’t heard of these before, you may have heard of a sites like thispersondoesnotexist.com or generated.photos which will provide you a seemingly endless supply of “fake” faces, using trained AI to attempt a realistic construction of a face that “doesn’t exist”. (Picture me saying that with air quotes, turns out those don’t work well in blogs) I say it that way because it’s been demonstrated that the images of actual people that the AI learned on are remarkably close in some cases to the “fake” ones it generates.
Tell-tale signs of these GAN photos aren’t always that easy to spot. A mismatched earring, strange wisp of hair, odd teeth perhaps. Others may be comically-easy to spot, giving much more obvious clues like partially constructed glasses, an ear that belongs on a Halloween costume, or a half cropped-out companion that looks like something out of a Stephen King novel (yes, those movies are from books). One thing is usually always right though… the eyes. Perfectly spaced, perfectly level, and generally clear as a bell.
Think about it… would you accept a connection request from this profile photo, with a recruiting job title, who sends a note saying he’d like to have you in his professional network? Most people would…
thispersondoesnotexist photo
What about his oddly-constructed friend up next here… with one tiny, unpierced ear halfway up the side of their head, and some sort of Red Baron-esque goggles that reminds me of Seth Green’s character in Can’t Hardly Wait? This one would be much easier to second guess and avoid.
Great movie, I don’t care what you say.
Anyway, back to the story… The connection requests keep coming in and eventually I get curious, as all investigative-minded researchers do, and I want to know more. What’s the motivation here? What’s the game? Some of the profiles may offer a message with their connection request, professing their admiration for my work or interest in something I’m doing, but most are just smiling faces, awaiting my acceptance. So I let a few of them in.
I start by reviewing the profiles and I see a fairly consistently repeated pattern: smiling face, a tagline with consultant/hiring/sourcing, a generic stock art cover photo of some cityscape, a hometown anyone would recognize, 3 prior employers with unmistakable brands and a college I’d be lucky to afford cafeteria food from, let alone an education. They’re in groups, they’re well connected, and many even have endorsements for skills by seemingly real-life people using the site for actual networking.
All very interesting, but not much I can use to further explore a potential network. Reverse searching the profile photos leads nowhere, there’s no contact information being offered on the page (even after connecting), and the names offer nothing to pivot from. Visiting their connected groups and scrolling through the ranks makes it clear there are more profiles that could be consistent with what I’ve already seen, but what can I do to find them? I’m looking for something I can expand from, pivot from, some lazy mistake they’ve made that can help me see a bigger picture.
Remote Hiring? What could possibly go wrong?!
Then I notice something. Many of them have a short bio section talking about who they are, and a few of them have lazily repeated each other. BINGO! I take one of the bios, zero in on a section that seems unique enough that it won’t appear elsewhere and head over to Google to use my favorite dork!
site:linkedin.com “I’ve had an interesting career with several wonderful companies but being a world-class HR consultant and practitioner has always been my passion”
This gives me 95 unique profile results sharing that exact bio text, including my new professional pal, Winnie Hill, Human Resources Supervisor! Does poor Winnie realize that 94 other hard working recruiters and HR professionals out there are just as passionate as she about their careers (but not about originality)? A quick review of some profiles in those results shows me the same cookie-cutter approach I’ve seen before, sprinkled with different company names and colleges, topped off with all new GAN profile photos.
So, I try a few more: “I’ve made a name for herself as an international HR and staffing consultant” and “I am a consummate networker, thinker, traveler.” and “changing the world through providing quality jobs to people in developing economies”. These new searches net me a few hundred more profiles to review, new faces and new names, but the song remains the same.
You get the idea.
Soon, it becomes obvious we’re dealing with an organized network. One that someone put a lot of time and effort into constructing, maintaining, and leveraging. One that managed to bypass whatever level of scrutiny they were given at sign up and has now gone on to connect with thousands of unsuspecting potential victims. This is the type of threat in the type of setting that can literally ruin a life, a career, or even bring down a company when the wrong person clicks on a link, sends over their resume, agrees to a fake consulting gig, or gives away too much access or information. Sure, they could also be trying to sell you weight loss pills, talk to you about your car warranty, or perhaps something less dastardly… maybe they’re bots, creating profiles to bypass login wall protection and hoover up as much information as they can. One thing is for sure, they’re here for something they probably shouldn’t be.
In case you’re wondering, after taking a handful of these bios and performing the same searches in order to scrape together the results I found more than I expected. Using basic tools & extensions like Remove Breadcrumbs to lengthen the visible URL in the results, and Instant Data Scraper to grab the Google results and pull them into a workable spreadsheet, I was able to capture over 300 profiles sharing the same series of unique bios, then tease out the top job titles in a simple pie chart.
I share all of this as a warning, because even as recently as this week, I’ve read of many more folks complaining about fake profile requests trying to infiltrate their networks. It seems LinkedIn has an ever-growing problem on their hands that’s not going away any time soon. One that appears largely unchecked, and may have already infiltrated your professional network. Don’t become a victim and don’t let your network become a victim, and certainly don’t think for a second that this problem is unique to just this one platform. Take what you’ve read here and use it to protect yourself everywhere you go. Be curious, but be careful.
