Working PIby Griffin Glynn, My OSINT Training
Two years ago, I received an email to my business that landed directly in my spam folder, as it should have. It was a scam so old it has become cliché in much of the world. The overseas millionaire, perhaps a prince, or in this case, a rich and dead businessman whose living proxy miraculously plucked me from the masses of all the email-owning people on earth to be the sole benefactor of an oddly specific fortune! What luck!
Despite the fact I can’t even conjure up enough luck to win the monthly business card raffle at my local Subway restaurant, it looked like things were finally turning around for me! Then again, have you ever wondered who’s on the other side of one of these emails?
Well, I did. And although it seemed like an impossible feat at the time, I decided to take a swing at exposing the fraudster on the other end of the line and see what kind of end game they had in mind for me. What resulted was a wild, opensource intelligence (OSINT) and social-engineering ride I’ll never forget.
To start, I wanted to elicit information from the scammer that would help me identify them in real life. To do that, I had to think about the kinds of people the scammer had engaged when they were successful. Not very savvy? Perhaps unwise about technology? Maybe greedy? I definitely needed to play a role to accomplish my goal, so I figured the more I acted like someone they’ve encountered among prior victims, the more likely I’d draw something out of them.
First Steps
Although I was pretty certain I was dealing with a freshly created throw-away email address, I couldn’t assume they didn’t make a mistake, so I checked all the usual boxes to start. I ran the email through breach data tools https://haveibeenpwned.com, https://emailrep.io and Google.com, and checked the username portion in https://whatsmyname.app, etc. If you’ve spent any time doing OSINT work, you know these angles quite well.
All of that was a bust, as expected, which meant I needed to start active engagement. So, I fired up the virtual machine, opened a sock-puppet Gmail, and got to work. I wasn’t going to email them back from my work account and expose anything about me, so I used my favorite alias: Tommy Gemcity. This was my email:
Hello Mrs. Raphael,
I received your email at my business regarding the passing of your husband and your desire to donate to an honest person. I can’t say thank you enough for your offer of generosity! I hope we can connect soon and I am sorry to hear you may be in poor health.
Sincerely,
Tommy Gemon
President, The Treasure Hunter’s Club
I cold-emailed them from a new account they’d never seen before, but considering I was sure they’d spammed countless email addresses in their quest for a victim, I doubted they’d notice—and I was right. In my email signature, I also took a stab at (harmlessly) phishing them back by including a link in case The Treasure Hunter’s Club sounded interesting enough to click. If it did, their IP address would be instantaneously captured before they were redirected to a completely normal and harmless website I’d pre-programmed to be the final destination.
I’ll admit I started out a bit greedy here, and our adversary was too wise to click on my tricky signature link.
Scammer Responds
After a few days, I received a reply with good news! All they needed to transfer my millions was my full name, address, phone number, and a copy of my passport or ID. Amazing!
However, I pretended to get cold feet and replied that I was “wary of giving too much personal information online.” I was hoping my need for reassurance would result in the scammer giving me something I could work with. In their reply, the scammer said, “I’m glad you’re wary of giving out your information, it assured me that you will not misuse this funds when you receive it.” The email included two “official” documents (See the Attestation and Official Deposit Certificate in Figure 1) as attachments to prove that “everything is legal and risk free.”
Figure 1: “Official” documents emailed by the scammer to the author.
Enlarged Image
I’m no bank fraud investigator, but I could tell these documents were “authentic” because they used at least six different fonts. And while I’d never actually seen what kind of paperwork you have to do when you drop that kind of coin in the bank, I definitely imagined there’d be lots of stamps and signatures, so check and check! Looked good to me! [Eye Roll].
The scammers were still waiting for my personal information, so I obliged by providing them with the address and phone number for the largest apartment complex in the United States. I also included a link that would take them directly to a web page of Google files, while conveniently grabbing whatever IP address they might have been using at the time.
I was also starting to really wonder about their end game. It couldn’t just be simple identity theft, could it?
In their reply, the scammer provided the name of the bank they were supposedly using to transfer my funds and included a much more official sounding email address. This was followed by multiple email exchanges of them assuring me they were ready to transfer the money but just needed my ID photo, and me fumbling through various reasons why I couldn’t manage to attach a simple JPG to my email—all the while trying to keep them on the line to expose something useful.
(story continues)
Unexpected Progress
In the meantime, something amazing happened … they clicked my email link!
Suddenly, I had an IP address to work with, though I wasn’t holding my breath it would be someone’s actual IP rather than one of the zillions of easily accessible VPN IPs available to literally anyone with even the slightest ability to Google. Still, it was worth checking.
I could see that the internet service provider (ISP) was Orange from the Ivory Coast area in Africa. I checked it using several tools like https://maxmind.com, https://ipinfo.io and https://dnslytics.com to see what they could tell me. All said Orange was the ISP, with a general area of Abidjan in Cote D’Ivoire, and I could also see it was negative for VPN/proxy/ TOR/relay. It looked really promising!
Another tool I like to use when looking at someone’s IP is a site called https:// iknowwhatyoudownload.com, which checks for torrent download and distributions. In many parts of the world, this is still popular, and while it might not offer me any value in terms of identifying someone, I can use it to get a sense of whether an IP might be from a VPN or not by looking at the volume. Many VPN IPs will reveal a very long list of torrents (often X-rated) that are more than a typical household would consume on its own. In this case, the IP in question had just a handful of results for some TV shows, not what I would expect from a commercial VPN IP.
You might be thinking, “All of this is great, Griffin, but it’s not getting us any closer to identifying someone!” You’re right. Without a legal order or some kind of special access, finding the person behind that IP isn’t going to happen. Or is it?
You see, we had one Hail Mary left to throw, and it’s our old friend breach data. I call it a Hail Mary because it had worked for me with IPs only a handful of times over the years due to a number of factors around how they can be changed as well as the move to IPv6 from IPv4. Still, it was worth checking, and as it turned out, this IP address had been part of a data breach, and it was connected to someone’s account whose initials were “PB.”
This was (potentially) great news. I say potentially because there are a ton of asterisks that should accompany information like this. For one, it didn’t put this person behind the keyboard in my situation. For another, we didn’t know if this IP address from the breach was still with this person. The list goes on, but it was worth pursuing to see where things would go.
Enter OSINT
Now, we get to the fun part—OSINT! We were working with an email and a name, and wanted to see who this person was, what they’re about, and where they were in the world. Finding a foothold was a challenge at first because they didn’t go by their (presumed real) name on social media handles. Instead, they went by a version of what I’ll call “Bright Man.”
Here’s a tip: I was able to locate a Facebook profile for this person by letting Google do the work for me—creating a Google dork (advanced search technique) to view results indexed specifically from Facebook that included parts of the “PB” name in the URL. Something along the lines of site:facebook.com “TERM1” AND “TERM2.” You see, a lot of Facebook users may start with an account using their full name, then adjust the display name to something new like Mr. Bright Man did but never change the URL (yes, that’s a feature). So, when John Smith starts a Facebook account at facebook.com/john.smith and then changes his display name to Jethro Gibbs, well his URL will remain unchanged. I can’t count the number of times I’ve found someone’s Facebook account just by trying firstname.lastname in the URL. Try it sometime!
OK, so Mr. Bright Man was merely a person of interest, but he had quite an online presence to explore. I was also able to gather several phone numbers and email addresses from clues left in his online posts and videos, as well as determine roughly where he lived by geolocating a few of his YouTube videos. So, now I had a decent handle on who this person was, should that become helpful down the road.
(story continues)
End Game Revealed
While I was researching Mr. Bright Man, there was still one question burning in my brain: What was the scammer’s end game? Obviously, scams are for money, but so far, the worst thing they had tried to do was get a copy of my passport, address and phone number. Could they monetize that? Sure. Is it more work than just getting me to send them money somehow? Yup.
Then, finally, the answer arrived in my inbox. It was an advance fee scam. The scammer advised me that the account holding my $4.6 million was a “suspense account,” which required reactivation by way of paying a fee before they would be able to release the full funds. I was offered two options: 1) reactivate the account and claim the substantial interest accrued for the fee of $1,260, or 2) reactivate the account and forego the accrued interest for a smaller fee of $860. Classic!
What kind of money-hating idiot would turn down hundreds of thousands of dollars in accrued interest just to save $400 on fees? NOT THIS SOON-TO-BE MILLIONAIRE! Sign me up for that $1,260 fee right away, please, and thank you very much!
Pressing Onward
Was this really all there was? Well, no. I wasn’t ready for it to be over. I decided to take one more stab at getting information from the scammers, so I assessed what had occurred. I knew they wanted me to send them money; I knew they must have a way to get that money; and I knew that their banking information may reveal new clues for me.
The next email I received from the “bank” advised me I could transfer my funds to the account number they had given me for someone named Thomas Smith. Though I initially presumed the commonness of this person’s name meant it was fake, the scammer was expecting me to send money, which meant they intended to receive it. I started to think Thomas Smith could be a real person, and perhaps he was a victim as well!
You see, there’s this thing called a money mule, essentially a middle person usually uninvolved in the actual scam who facilitates the movement of the funds involved. In some cases, they are tricked, in some cases coerced, and in other cases, they may actually get a cut of the money for performing services like cashing out and sending the balance elsewhere.
I needed a plan. Finding a Thomas Smith somewhere in the world was going to be impossible without further information, so I played the helpless, bumbling victim. I told the scammer my bank wouldn’t allow me to transfer the money despite my best efforts, but I also let them know I could use PayPal or Venmo instead if they’d be willing to provide an email address or a phone number for me to look up their account.
As requested, they sent me an email address for PayPal, which I used to search the mobile app for a matching profile, and I got a hit that included a picture of Smith’s face. I also ran the email through one of my favorite tools, https://epieos.com, which indicated the email was connected to a Google account for Smith that had been used to leave several business reviews in a fairly tight geographic area.
Armed with that information, I used the advanced search feature on Facebook, combining his name with various town names near where he’d left his restaurant reviews, to find an account with a face that looked remarkably similar to the PayPal profile. Success!
Who Is Thomas Smith?
As I looked into Smith’s life, he didn’t seem like someone who would be wrapped up in an international wire fraud scheme. Instead, he was most likely an innocent victim, either being preyed upon or compromised in some way. At this point, I wanted to locate his contact information or residence because I had every intention to passing him along to local authorities who could help him.
Gathering more information, I read his many different business reviews looking for clues, and I discovered one for a church. This review led me to believe Smith was very active at this church, so I looked to see if the church’s social media had any photos or information about him.
Bingo! I found posts mentioning him, explaining his background and listing his family members, including his wife by name. This was more than enough information to use people-search sites like https://truepeoplesearch.com to research addresses. I located an address that appeared to be current, but just to be sure, I searched the county geographic information system (GIS) portal for property tax information. You’d be surprised how many U.S. counties have these kinds of sites and searches available.
As I’d hoped, Smith and his wife were still listed on the property, and via the people-search sites, I was able to gather more information on them including additional social media. It was more than enough information for someone to contact Smith and help him out of the unfortunate situation he appeared to be in.
Elder scams are sadly quite prevalent. They can be extremely detrimental to victims who can quickly and unwittingly lose large sums of money before realizing something isn’t right. Thus, I hoped there could be a happy ending here for Smith.
I packaged my findings into a report, and despite never actually proving that Bright Man was behind the scam, I provided more than enough information to the authorities to demonstrate what was occurring and compel them to at least help Smith. This was all delivered to a friend at a U.S. agency that deals specifically with these types of crimes and who happened to have a fellow agent and friend in Smith’s area who would follow up.
Final Thoughts
Wow, what a journey that was! By playing the part of a clueless victim, I was able to take a run-of-the-mill scam email and elicit potentially identifiable information from a person or persons halfway around the world. By using OSINT, I was able to identify and put together a significant amount of intelligence on a person of interest, leading authorities to a likely victim who may have really needed help. All in all, I’d say that’s a pretty impressive result!
Thanks for sticking with me until the end. I hope you enjoyed the story and perhaps picked up a few investigative tips along the way.
About the Author
Griffin Glynn is the co-owner of My OSINT Training and a recognized expert in the world of open-source intelligence (OSINT). With more than 20 years of investigative experience, he leverages OSINT to assist law enforcement on cases of missing, exploited and trafficked children through his work at the National Child Protection Task Force. Griffin participates in the online OSINT community under the moniker, hatless1der.
We’re always listening. Send your story submission/idea to the Editor: kendra@orep.org.
