Tag: SOCMINT

I received this email to my business back in 2022, and it landed directly in my spam folder, exactly as it should have…

It’s a scam so old it has become cliché in much of the world. The overseas millionaire, perhaps a Prince, or in this case a rich & dead businessman whose living proxy has miraculously plucked me from the masses of all the email-owning people on earth to be the sole benefactor of an oddly specific fortune! What luck!
I mean, never mind the fact that I can’t even conjure up enough luck to win the monthly business card raffle at my local Subway restaurant, looks like things are finally turning around for me!

You ever wonder who’s on the other side of one of these emails?

Well I did, and although it seemed like an impossible feat at the time, I decided to take a swing at exposing the fraudster on the other end of the line and see what kind of end game they had in mind for me, their hapless and less privileged victim. What resulted was a wild OSINT and social engineering ride I’ll never forget!

To start off, I take a moment to define a goal. While things may change as we move along, at the outset I know that I want to elicit information from the scammer that may help me identify them in real life. Ok great, how do I do that? I need to think of the kinds of people the scammer expects to engage with when he or she is successful. Not very savvy? Perhaps unwise about technology? Maybe greedy? I’ll definitely need to play a role in order to accomplish my goal and I figure the more I act like like what they’ve experienced from prior victims, the more likely it is that I might draw something out of them.

How will this all go? Well I don’t know quite yet.

Although I am almost completely certain that I’m dealing with a freshly created throwaway email address, I can’t just assume they’ve not made some kind of mistake and not do the research on it. So I check all the usual boxes to start: run the email through breach data tools, https://haveibeenpwned.com, https://emailrep.io, Google, check the username portion in https://whatsmyname.app, etc etc etc. If you’ve spent any time doing OSINT work, you know those angles quite well, but if not, I would encourage you to check out my prior blog on pivoting off an email address HERE.

All of that was a bust, as expected. Now I know I’m going to need to start the active engagement at this point, so I fire up the VM, open a sock-puppet Gmail, and get to work. I’m not going to email them back from my work account and expose anything about me so this will be done under my favorite alias. (Bonus points to anyone who recognizes where the name Tommy Gemcity comes from) Hint: It may be spelled differently than the actual origin.

So I’m basically cold-emailing them from a new account they’ve never seen before, but given the fact that I’m sure they spammed countless email addresses in their quest for a victim, I doubted they’d notice at all. I was right. You might also notice my email signature where I’m actually taking a stab at (harmlessly) phishing them right back. The Treasure Hunter’s Club? Does that sound interesting enough to click on the link in my signature? If it did, their IP address would be instantaneously captured before they were redirected to a completely normal and harmless website I’ve pre-programmed to be the final destination. How you might ask? There are a number of sites and tools who shall remain nameless, that can help you set something like this up and may even let you choose from some pre-made URLs or use a link shortener to help make your IP-grabbing link look just a little bit more legit. (Blah, blah, don’t break laws, blah, blah, don’t violate policy, blah.

Now I will admit I started out a bit greedy here, and at this early stage of the game, our adversary was too wise to click on my tricky signature link. Let’s carry on.

A few days pass, and I receive a reply with good news! All they need in order to transfer my millions is: my full name, my address, my phone number, and a copy of my passport or ID. AMAZING!
Suddenly though, I get cold feet. You see, I’m a little leery about giving out my information online. Or so I say…

I’m hoping that my need for reassurance will result in the scammer giving me something I can work with. Let’s see what they come back with…

BRILLIANT! Turns out they had some concerns about me as well, but I’ve now proven myself the worthy recipient of this “legal and risk free” fortune, which is coincidentally my favorite kind of fortune! Let’s have a look at these OFFICIAL documents:

Now I’m no bank fraud investigator but I could tell these documents were authentic right when I noticed they used at least 6 different kinds of fonts. And while I’ve never actually seen what kind of paperwork you have to do when you drop that kind of coin in the bank, I definitely image there being lots of stamps and signatures, so check and check! Looking good to me! [rolls eyes]

The scammers are still waiting for my personal information, so I oblige, providing them with the address and phone number for the largest apartment complex in the United States and of course a link that will take them directly to the web page of Google files, while conveniently grabbing whatever IP address they might be using at the time. Yes, I’m trying that trick again. What have I got to lose?

I’m really starting to wonder though… what is their end game here? It can’t be just simple identity theft, can it? Perhaps more will reveal itself as we carry on.

As you can see, I’m being passed off to a new and much more official sounding email address. I will fast forward over this part of the story because it involves multiple email exchanges with them assuring me they are ready to transfer the money but need my ID photo, and me fumbling through various reasons why I can’t manage to attach a simple JPG to my email, trying to keep them on the line to expose something useful.

But in the meantime, something amazing happened… they clicked the link!

I’ve got an IP address to work with! Of course, I’m not holding my breath that this is going to be someone’s actual IP and not one of the zillions of easily accessible VPN IPs available to literally anyone with even the slightest ability to Google, but I’m still going to check…

I see that the Internet Service Provider (ISP) is Orange, from the Ivory Coast area in Africa, and I check it in several tools like https://maxmind.com, https://ipinfo.io, and https://dnslytics.com to see what they can tell me. All say Orange is the ISP, general area is Abidjan in Cote D’Ivoire, and now I’m seeing it’s negative for VPN/proxy/TOR/relay. This is looking really promising!

One other thing I like to look at for someone’s IP is a site called https://iknowwhatyoudownload.com, which checks for torrent download and distributions. In many parts of the world, this is still popular and while it might not offer me any value in terms of identifying someone, I can use this to get a sense of whether an IP might be from a VPN or not by looking at the volume. Many VPN IPs, when checked through this site, will reveal a very long list of torrents (often X-rated), that would be more than a typical household would consume on its own. In this case, the IP in question had just a handful of results for some TV shows, not what I would expect from a commercial VPN IP.

You might be saying to yourself, “all of this is great, Griffin, but it’s not getting us any closer to identifying someone!” You’d be right. Without a legal order or some kind of special access, finding the person behind that IP isn’t going to happen. Or is it?

You see, we have one hail mary left to throw here, and its our good old friend breach data. I call it a hail mary because it has only worked for me a handful of times over the years with IPs due to a number of factors around how they can be changed as well as the move to IPv6 from IPv4, but it’s still something worth checking. As it turns out, this IP address HAD been part of a data breach, and it was connected to someone’s account. Someone we’ll call “PB” from here on out.

This is (potentially) great news! I say potentially because there are a ton of asterisks that should accompany information like this. For one, it does not put this person behind the keyboard in my situation. For another, we do not know if this IP address from the breach is still with this person. The list goes on, but for the moment we’re going to call “PB” a person of interest and see where things go.

Now we get to the fun part, OSINT! We’re working with an email and a name, and we want to see who this person is, what they’re about, and where they are in the world.

Finding a foothold in this person’s online life was a challenge at first, because they do not go by their (presumed real) “PB” name in social media handles, they go by a version of what I will call “Bright Man”. Here’s a little tip for you… I was able to locate a Facebook profile for this person by letting Google do the work for me, creating a Google dork to view results indexed from Facebook specifically that included parts of the “PB” name in the URL. Something along the lines of site:facebook.com "TERM1 AND TERM2". You see, a lot of Facebook users may start out an account using their full name, and then adjust the display name to something new like Mr Bright Man did, but they never change the URL (yes that’s a feature). So when John Smith starts a Facebook account at facebook.com/john.smith and then changes his display name to Jethro Gibbs, well his URL will remain unchanged. I can’t even count the number of times I’ve found someone’s Facebook account by just trying firstname.lastname in the URL, try it out sometime!

OK, so Mr. Bright Man is merely a person of interest here, and may very well be unrelated to the scam so I’m going to blur him out, but I will say he had quite the online presence to explore:

I was also able to gather up several phone numbers and email addresses from clues left in his online posts and videos, as well as determine roughly where he lives by geolocating a few of his YouTube videos. So now I’ve got a decent handle on who this person of interest is, should that become helpful down the road.

All the while I’m researching Mr. Bright Man there’s still one question burning in my brain… what is the scammer’s end game? Obviously, scams are for money, but so far the worst thing they’ve tried to do is get a copy of my passport, address, and phone number. Could they monetize that? Sure. Is it more work than just getting me to send them money somehow? Yup.

And just then, the answer finally arrives in my inbox. It’s a bit small to read in the picture below, so let me just spoil the surprise for you now… it’s an advance fee scam. I’m being advised that the account holding my $4.6M is a “suspense account” which requires reactivation by way of paying a fee before they are able to release the full funds. I am offered two options: 1 reactivate the account and claim the very substantial interest accrued for the fee of $1260, OR reactivate the account and forego the accrued interest for a smaller fee of $860. Classic!

What kind of a money-hating idiot would turn down hundreds of thousands of dollars in accrued interest just to save $400 on fees? NOT THIS SOON-TO-BE MILLIONAIRE!! Sign me up for that $1260 fee right away please and thank you very much!

Is this the end then? That’s really all there was? Well, no. I’m not ready for this to be over. Much like Ted Lasso, I know the end will come eventually, but I won’t let myself think about it being over until the last possible moment. Goldfish memory!

I’m going to take one more stab at getting information from the scammers and see where it leads. If I assess what’s happened, I know they want me to send them money, I know they must have a way to get that money, and I know that their banking information may reveal new clues for me, so I press on. I’m ready to send the money, just tell me where…

Ah crap! Thomas Smith??? That just screams obviously fake.

But wait.

Aren’t they expecting me to send them money to this account? So that means they intend to get it. There must be more to this that what I though. Maybe Thomas Smith is actually a real person. Maybe Thomas Smith is a victim as well! You see, there’s this thing called a money mule, essentially a middle person usually uninvolved in the actual scam who facilitates movement of the funds involved. In some cases they are tricked, in some cases coerced, and in other cases they may actually get a cut of the money for performing services like cashing out and sending the balance elsewhere. (Work from home job scams anyone?)

I need a plan. Finding a Thomas Smith somewhere in the world is going to be impossible without some other kind of information, so I play the helpless, bumbling victim angle in hopes of gaining something I can use. I tell the scammer that my bank won’t allow me to transfer the money despite my best efforts, but let them know that I do have access to PayPal and Venmo instead if only they’d be willing to provide an email address or phone number for me to look up their account. But will they fall for it?

More has been revealed! Let’s get to work on finding Mr. Smith, and seeing what he’s all about. First, we check the PayPal profile using the search by email feature of the mobile app and see what appears.

A face! It’s a start, and we still have the email. If you’ve read any of my other blogs, you know how much I love the https://epieos.com tool for researching email accounts. In this case, I find that the email is connected to a Google account for Thomas, and that Thomas has left a number of reviews of businesses in a fairly tight geographic area.

Using Thomas’ very common name, and some of the names of towns near the area where he left those restaurant reviews, I start hitting the Facebook advance search feature. Combining his name with various town names, it doesn’t take me long to find an account with a face that looks remarkably similar to the PayPal I was referred to by the scammer.

Success!! As I look more into Thomas’ life, I realize that he’s most certainly not someone wrapped up in an international wire fraud scheme, he’s most likely an innocent victim himself, either being preyed upon or compromised in some way. I’d like to see if I can locate his contact information or residence now, because I have every intention of passing him off to local authorities who can help him. I return to his online life in order to gather more information. Part of what I do is read the many different business reviews Thomas has written looking for clues, and I discover one for a church. This particular review leads me to believe that Thomas is very active at this church and I wonder if their social media may have other photos or information about him.

Bingo! I read on and find other posts mentioning him, explaining his background, and listing his family members including his wife by name. This is more than enough information for me to hit some people search sites like https://truepeoplesearch.com and begin researching the addresses. I locate an address that appears to be current, but just to be extra sure I Google for the County GIS portal in order to research property tax information on the property address. You’d be surprised how many US Counties have these kinds of sites and searches available.

Just the thing I was hoping for. Thomas and his wife are both still listed on the property, and through the people search sites I was able to gather information for them as well as locate additional social media. More than enough information for someone to make contact with Thomas and help him out of the situation he may stuck in. Elder scams are sadly quite prevalent, and often extremely detrimental to their victims who can unwittingly lose large sums of money in a short period of time before even realizing something is not right. My hope for a happy ending here is that someone can help Thomas, and I know just the folks to do it.

My findings get packaged up into a report, and despite the fact that I never actually proved that Bright Man was behind the scam, I provided more than enough information to the authorities to demonstrate what was occurring and compel them to at least help Thomas. This was all delivered to a friend at a US agency who deals specifically with these types of crimes and who happened to have a fellow agent and friend right in Thomas’ area that would follow up.

Wow, what a journey that was! By playing the part of a clueless victim, I was able to take a run of the mill scam email, elicit potentially identifiable information from a person or persons halfway around the world, and by utilizing OSINT I was able to put together a significant amount of intelligence on a person of interest, and most importantly identify and lead authorities to a likely victim who may have really needed help. I’d say all in all that’s a pretty impressive result!

Thanks for sticking with me till the end. I hope you enjoyed the story, maybe picked up a few things, and most importantly became just a little more aware of the dangers lurking out there online.