how I tricked a scammer using OSINT and social engineering

Foreign researcher hatless1der in his personal blog shared a rather pressing problem that many people have encountered in their everyday lives, regardless of profession.
We present to your attention a translation of this fascinating story as an example of applying your skills in everyday life.

I received this email in my business inbox back in 2022 and it went straight to my spam folder as it should have…

Hello dear.

I am Mrs. Noemi Raphael, wife of the late Mr. Ethan Raphael, businessman and politician. Before his sudden death, we deposited $4.6 million in one of the country’s leading banks.

I was given a very bad diagnosis, so I decided to donate these funds to an honest person. My goal is to support the elderly, defenseless and abandoned children, my goal is to help those who are disadvantaged and to fulfill the vow I made to my late husband.

I’ll let you know the details as soon as I hear back from you. Your urgent response is very important due to my health condition.

Ms. Noemi Ethan Raphael

This is such an old scam that it has become a cliché in many countries around the world. An overseas millionaire, perhaps a prince, or in this case, a rich and deceased businessman whose living confidant miraculously snatched me from the general mass of all the people on earth who own email, so that I became the sole owner of a strangely specific fortune! What a luck!
Not to mention, I don’t even have enough luck to win the monthly business card lottery at my local Subway restaurant. Looks like things are finally looking up for me!

Here’s the question. Have you ever wondered who is on the other side of one of those letters?

And although at that time it seemed impossible to find out, I decided to try to expose the scammer on the other end of the correspondence and see what kind of game he was playing for me, his unlucky and “unfavorably positioned” victim. The result was a wild ride of OSINT and social engineering that I will never forget!

To solve this problem, I first needed to define a goal. Although it may change as the case progresses, at the initial stage I know that I need information from the scammer that will help me identify him in real life.

Great, but how do I do this?

I need to think about what kind of people the scammer expects to deal with when he succeeds in the form of a response to the letter. Not very smart? Perhaps they are not tech savvy? Maybe greedy? To achieve my goal, I will definitely have to play a role, and I believe that the more I behave like previous victims, the more likely it is that I will be able to get something out of them.

How will all this be implemented? I do not know yet.

While I’m pretty sure I’m dealing with a newly created junk email address, it’s possible that they didn’t make some kind of mistake and didn’t do any research on that address. Therefore, to begin with, I do all the usual steps: I run the letter through tools for collecting data on violations, https://haveibeenpwned.com, https://emailrep.ioGoogle, checking part of the username in https://whatsmyname.app etc. and so on. If you have done any OSINT work at all, then these points will be very familiar to you, but if not, then I recommend that you check out my previous blog about working with email addresses (Advanced OSINT: The Art of Pivoting – @hatless1der | Blog)

As expected, these attempts were unsuccessful. Now I know that from now on I need to start actively interacting with the scammer, so I launch a virtual machine, open Gmail for strangers and get to work. I’m not going to send them an email from my work account and reveal information about myself, so everything will happen under my favorite pseudonym. (Bonus points for anyone who finds out where the name Tommy Gemcity comes from) Hint: It may be spelled differently than it actually is.

Hello Ms. Rafael
I received your email regarding the passing of your husband and your desire to donate to an honest man. I cannot thank you enough for your offer of generosity! I hope we can meet soon and I am sorry that you may be in poor health.
Sincerely, Tommy Gemon
President of the Treasure Hunters Club

So I was essentially sending them a blank email from a new account they’d never seen before, but given the certainty that they’d spammed countless email addresses in search of a victim, I doubted they’d even pay attention to it . I was right. You may also want to take a look at my email signature, where I try to (harmlessly) phish them back. Treasure hunting club? Does this sound interesting enough to click on the link in my signature? If so, their IP address will be instantly intercepted before they are redirected to the completely normal and harmless site that I have programmed as the final destination. How, you ask? There are a number of sites and tools, which will remain nameless, that help you create something similar and even allow you to choose from pre-made URLs or use a link shortener to make your IP capture link look more legal (don’t break laws, don’t break policies)

I’ll admit, I started out a little brazen, and at this early stage of the game our opponent was too wise to click on my tricky link in the signature. But let’s continue.

A few days pass and I receive good news! To transfer my millions you need: full name, address, telephone number and a copy of your passport or ID card. MARVELOUS!
But suddenly I chickened out. You see, I’m a little wary of giving my information online. Or so I say…

Thanks a lot!
Unfortunately, I’m wary of giving too much personal information online

My treasure hunting club is often targeted by people trying to scam us, so I always try to be very careful.

I’m hoping that my need for reassurance will result in the scammer giving me something to work with. Let’s see what they come back with…

Dear Tommy Gemon, thank you for your response. I am glad that you are careful not to provide your information. This gave me confidence that you will not abuse these funds once you receive them. I want to assure you once again that everything is legal and your data is safe. I will just forward them to my bank and give you contact information.

I have attached documents for the funds to assure you that everything is legal and without risk.

Brilliantly! It turns out they had some concerns about me too, but I have now proven myself to be a worthy recipient of this “legal and risk-free” fortune, which coincidentally is my favorite kind of fortune! Let’s take a look at these OFFICIAL docs:

I’m no expert on bank fraud, but I immediately recognized the authenticity of these documents when I noticed that they used no less than 6 different types of fonts. And while I’ve never seen what paperwork needs to be done when you drop a coin like this into the bank, I can definitely imagine a lot of stamps and signatures, so check and check! I think it looks good!

The scammers are still waiting for my personal information, and I help them: I provide the address and telephone number of the largest apartment complex in the United States and, of course, a link that will take them directly to the Google files web page, while conveniently intercepting any IP address, which they can use at the moment. Yes, I’ll try this trick again. What do I have to lose?

However, I’m really starting to wonder… what is their ultimate goal? It can’t just be identity theft, can it? Perhaps we’ll learn more as we go along.

As you can see, I’m being transferred to a new, much more official-sounding email address. I will retell this part of the story because it includes several messages in which they assure me that they are ready to transfer money, but they need a photo of my ID, and I, going over in my mind various reasons why I cannot attach it to my a simple JPG email, trying to keep them on line so I can get something useful.

But in the meantime, something amazing happened… they clicked on the link!

I have an IP address to work with! Of course, I’m not holding on to the idea that this will be someone’s real IP, and not one of the billions of easily accessible VPN addresses available to literally anyone who knows how to use Google, but I’ll check anyway…

I see that the Internet Service Provider (ISP) is Orange, Ivory Coast and check it in several tools such as https://maxmind.com, https://ipinfo.io And https://dnslytics.comto get their opinion. They all say that Orange is the provider, the area is Abidjan in Ivory Coast and now I see that they deny VPN/proxy/TOR/relay. This looks very promising!

Another site where I like to look up someone’s IP is a service called https://iknowwhatyoudownload.com, which checks the downloading and distribution of torrents. In many parts of the world this site is still popular and although it can’t give me any value in terms of identifying a person, I can use it to get an idea of ​​whether an IP address might belong to a VPN or not by looking at the volume of traffic. Many VPN addresses, when checked through this site, show a very long list of torrents (often X-rated), which exceeds the amount consumed by the average home user. In this case, the IP address only had a few results for some TV shows, making it different from a commercial VPN address.

You may be saying to yourself, “That’s all great, Griffin, but it doesn’t get us any closer to identifying the person!” And you’ll be right. Without a legal warrant or some kind of special access, it will not be possible to find the person behind this IP. Or will it still work?

You see, we have one “desperate move” left, and it’s our good old friend – data violations. I call it a “desperate move” because in years of working with IP addresses it has only worked a few times due to a number of factors related to the possibility of them changing, as well as the transition to IPv6 instead of IPv4, but it is still worth checking. As it turned out, this IP address was part of a data leak, and it was also linked to someone’s account. In the future, we will call this IP “PB”, based on the Name field in the screenshot below.

This is (potentially) great news! I say “potentially” because information like this should come with a lot of asterisks. First, in my situation, this person is not sitting at the keyboard. On the other hand, we do not know whether this IP address obtained as a result of the hack is still with this person. The list goes on, but for now we’ll call “PB” a person of interest and see what happens.

Now we move on to the fun part – OSINT! We work with an email and a name and want to know who this person is, what they do and where they are in the world.

Finding a foothold on this man’s online life was not easy at first, since on social media he does not use his (presumably real) name “PB” but something like “Bright Man.”

Here’s a little tip… I was able to find the person’s Facebook profile by letting Google do the work for me by creating a Google dork to view results indexed from Facebook that included parts of the name “PB” in the URL. Something like site:facebook.com “TERM1 AND TERM2”. You see, many Facebook users can sign up for an account using their full name and then change their display name to a new one, like Mr Bright Man did, but they never change the URL (yes, that’s a feature). So, if John Smith opens a Facebook account at facebook.com/john.smith, and then changes his name to Jethro Gibbs, then his URL remains the same. I can’t even count how many times I’ve found someone’s Facebook account just by trying firstname.lastname in the URL, try it sometime!

Okay, Mr. “Bright Man” is just a person of interest and quite possibly unrelated to the scam, so I’ll gloss over him, but I will say that he had quite a bit of online activity to look into:

I was also able to gather several phone numbers and email addresses from clues left in his online posts and videos, as well as geolocate his approximate location from several of his YouTube videos. So now I have a fair idea of ​​who this person is, if it proves useful later.

As I study the “flamboyant man”, one question still burns in my mind: what is the ultimate goal of the scammer? It is clear that the scam is about money, but so far the worst thing they have tried to do is get a copy of my passport, address and phone number. Can they monetize it? Certainly. Is it more work than just getting me to somehow transfer money to them? Yes.

And then the answer finally arrives in my inbox. It’s a little small to read in the picture below, so let me just spoil the surprise for you… This is an advance payment scam. I am told that the account holding my $4.6 million is a “suspended account” that must be activated by paying a fee before they can release the full amount. I am given two options: 1 to activate the account and claim the very significant interest accrued for a fee of $1,260, OR activate the account and waive the accrued interest for a smaller fee of $860. Classic!

What money-hating idiot would give up hundreds of thousands of dollars in accumulated interest just to save $400 in fees? JUST NOT THIS FUTURE MILLIONAIRE!!! Sign me up for this $1260 commission right now please and thank you very much!

So this is the end? Is this really all that was in the plan? Oh no. I’m not ready for it to end. Like Ted Lasso, I know that the end will come eventually, but I don’t allow myself to think that it’s over until the last moment. Goldfish Memory!

I’m going to make another attempt to get information from the scammers and see where it leads. Taking stock of what happened, I know they want me to send them money, I know they must have a way to get the money, and I know their banking information might give me more clues, so I press on. I’m ready to send money, just tell me where…

What a nightmare! Thomas Smith??? This just screams obvious fake.

But wait.

Don’t they expect me to send them money to this account? This means they intend to get them. There must be more to this than what I thought. Maybe Thomas Smith is a real person? Maybe Thomas Smith is a victim too! You see, there is such a thing as a money mule – essentially, it is an intermediary, usually not involved in the actual scam, who facilitates the movement of funds. In some cases they are deceived, in some they are coerced, and in some cases they may actually get some of the money for performing services such as cashing out and sending the balance elsewhere. (Work from home scams?)

I need a plan. Finding Thomas Smith anywhere in the world will be impossible without some additional information, so I play the role of the helpless, bumbling victim in the hope of gaining something that I can use to my advantage. I tell the scammer that my bank won’t let me transfer the money despite my best efforts, but I let them know that I have access to PayPal and Venmo if only they are willing to provide an email address or phone number where I can find them check. But will they go for it?

More has been revealed! Let’s go find Mr. Smith and see what he’s all about. First, we’ll check your PayPal profile using the email search feature in the mobile app and see what comes up.

Face! It’s a start, and we still have email. If you’ve read my other blogs, you know how much I love the tool https://epieos.com to search for email accounts. In this case, I discovered that the email was associated with Thomas’ Google account and that Thomas had left several reviews for businesses in a fairly narrow geographic area.

Using the very common name Thomas and some names of towns near where he reviewed the restaurants, I start using Facebook’s advance search feature. Combining his name with the names of various cities, I do not immediately find an account with a face remarkably similar to the PayPal that the scammer pointed me to.

Success!!! As I study Thomas’s life, I realize that he is most likely not a participant in an international wire fraud scheme, but rather an innocent victim. I would like to know his contact details or where he lives as I intend to hand him over to the local authorities who can help him. I go back to his online life to gather more information. Looking for clues, I read many different business reviews Thomas has written and discover one of them is about a church. This review makes me think that Thomas is very active in this church and I wonder if there are other photos or information about his life on their social media.

Bingo! I read further and find other posts that mention him. It explains his biography and lists his family members, including his wife, down to their names. This information is more than enough for me to go to people search sites, for example https://truepeoplesearch.com, and start looking for addresses. I find an address that seems current, but to be sure, I Google the county GIS portal to find property tax information for that address. You’d be surprised how many US counties have similar sites and search capabilities.

Just what I was hoping for. Thomas and his wife are still listed as owners and using people search sites I was able to gather information about them as well as find additional social media accounts. This information is more than enough for someone to contact Thomas and help him get out of a situation he may be stuck in. Unfortunately, elder scams are quite common and often cause enormous damage to victims, who can unwittingly lose large sums of money in a short period of time, before they even realize that anything is wrong. I hope for a happy ending to this story – someone will be able to help Thomas, and I know exactly the people who can do this.

My findings were compiled into a report, and although I never proved that Bright Man was behind the scam, I provided the authorities with more than enough information to demonstrate what was happening and get them to at least help Thomas. All this was transferred to a friend from an American agency that deals with just such crimes, and who happened to have a colleague and friend right in Thomas’s area who could follow the developments.

Wow, what a journey it has been! By playing the role of an ignorant victim, I was able to take a simple scam email, obtain potentially identifiable information from a person or people on the other side of the world, and, using OSINT, gather a significant amount of information about the person of interest, and most importantly, identify and lead to a likely victim who may have really needed help. I’d say overall this is a pretty impressive result!

Thank you for reading to the end. I hope you liked this story, perhaps you learned something new for yourself, and most importantly, you began to understand the dangers lurking on the Internet a little better.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *