Discovery of information about a phisher through OSINT

Julien
14 min readApr 25, 2024

--

In a forgotten corner of cyberspace, nestled among a multitude of email addresses, resided an abandoned mailbox. It was a veritable digital sanctuary where only spam and unsolicited promotions found refuge. I had created this address in the past to shield myself from the incessant assaults of companies eager for my contact. I bestowed upon it the status of a trash mailbox, a place where no communication of importance seemed to emerge. But what I was unaware of was that this mailbox would become the stage for phishing attempts against me, conducted by individuals not always very skilled.

Is it possible to find personal elements about the identity of our phishers? This is the subject of the investigation I conducted without pretension, for purely didactic purposes, both for myself as an OSINT enthusiast and, as I write these lines, also for you.

To start my investigation, I chose an old phishing email written in French, promising me the jackpot on the Amazon e-commerce site. I received it in January 2021 (we are in April 2024 when I conducted the investigation and wrote these words).

Here is the email received on 11/01/2021 with high importance.
View of my inbox:

From: amazfr EXT: YOUR 2021 GIFT — CONGRATULATIONS YOUR AMAZON GIFT IS FINALLY HERE

Content of the email once opened :

Content of the email

First, I wondered what I was going to do with all that money 🥴, and secondly, why was this guy sending me a phishing email pretending to be from Amazon, using a Gmail address, and all this via a Spanish-speaking student address at omnicrosft.com? Was he trying to spoof the Gmail?

That’s the track I considered most likely. Especially when I checked and found out that in reality, that address didn’t even exist…

The email is invalid

Even though this address doesn’t exist according to several free email address validators, I’m quite surprised (not) to see that it’s the star of online scam social networks!

Bro is famous

As we can see, a simple search of the email address on Google indexes several complaints on scam reporting sites. Complaints are found in French, Italian, English, and German.

I then became interested in the characteristic word before its “@gmail.com”. A word neither too common nor too random so that, based on my experience, it could resemble a pseudonym.

To give you an example :

  • it’s not computer@gmail.com => too common

and,

  • it’s not idezad8Jjpfwld@gmail.com => not common enough / too random

but rather,

  • senageterjo@gmail.com (I generated this word with an online tool, it’s not really the email of the malicious person)

Let’s check if it’s a pseudonym :

To do this, I whipped out a magical tool : Blackbird

No, not that one… 🐦

More like this one 🚀

To continue the investigation, I had to position myself right here (that’s not true, I just launched an online tool)

Well, after using this wonderful tool (thanks to p1ngul1n0 if you’re reading this), I found some stuff around what I considered to be a pseudonym :

Freelancer Account

Firstly, a page on a relatively unknown Freelancer social network, but as old as the world. I noted a city and a country.

YouTube Account

Next, I found a page of a YouTube account, with: a first name, a last name, a photo of a person, and our famous pseudonym behind the @.

Lastly, the tool identifies a Snapchat account :

Snapchat Account

The information associated with the Snapchat account includes : a first name, a last name, an avatar, and obviously the pseudonym we’re researching. They all match the YouTube account. For now, nothing illogical, but I’m taking note.

The initial word before the @ of the malicious Gmail account was indeed a pseudonym. After digging around, I only noted one use of this username, always by the same person.

So, I decide to search for this famous person on Google in the following way: first “First Name Last Name” then “Last Name First Name”.

The objective is twofold:

- find information enabling pivot
- find correlations that would support the idea that this person is behind our phishing email

Searching for this person quickly yields several results.

Firstly, his Facebook account, containing his city, new photos of him, and information indicating that he started working “On his own”.

Facebook Page

I also find a page where this person is registered with his first and last name. It’s a website for question/answers on computer programming called Stack Overflow.

He was answering a question about an error in availability and misconfiguration on the Office365 SMTP service, providing a configuration tip.

Response from our guy on Stack Overflow

His LinkedIn account is also identifiable.

I noted several interesting things there. Firstly, location information (province — city — country). Then, his status as an entrepreneur. Next, I observe in the Info section, a bunch of keywords related to IT, programming, mail server configuration, mail design and coding, automation, e-mailing web campaigns, and self-declared skills in WordPress.

Digging deeper, I found an old post (written 6 years ago), where he offered his email traffic services to German companies interested in marketing purposes. This may explain some complaints from Germans on online scam reporting sites.

This individual must possess a large number of email addresses from people. So, I tried to find out more.

After scouring through some old web pages where his name was indexed, I didn’t find any additional elements. So, I turned to social networks that are not indexed on the clear web.

Having already discovered his Snapchat account linked to the word from the Gmail address from which I received the phishing email, an intuition urged me to take another look at Snap. So, I reversed the process of searching for his First Name + Last Name on Snap and found an occurrence.

Reversing the search process on Snapchat using First Name + Last Name

This second Snap account of our individual brought me a crucial piece of information: a new pseudonym. The pivot can then begin.

Let’s bring out our magical tool: Blackbird!

I then find his pseudonym on a hacking, cracking, & leak forum. His account there is permanently banned. He regularly responded to leak or hacking tips posts, almost every time asking if the leak or tip still worked.

His permanently banned creacked.io account (left) and his responses to illicit posts (right)

A 10-year-old interpals account updated 3 years ago. Some of his photos are the same as on his Facebook wall, others are new. These photos allow me to confirm that he is indeed the person linked to the initial elements, and not a namesake. I also note an age (which remains declarative for now).

Individual’s Interpals Account

I also found a Pastebin account and didn’t note anything interesting there, although he could have used it for leak retrieval.

Individual’s Pastebin Account

The same goes for his Github account, which didn’t yield anything interesting for me.

The same for his Mixcloud account (music), where his musical tastes couldn’t provide any additional information for the investigation.

Individual’s Mixcloud Account

However, a curious element catches my attention. I find his pseudonym on the web page of the cyber threat group Turk Hack Team, to which he allegedly joined in the early 2010s as a “participant”.

Turk Hack Team website with mention of our interested party’s pseudonym as a participant since the early 2010s

Knowing the presence of this threat group on Telegram, I check my target’s pseudonym within the pirate group. No results.

I then expand my search on Telegram (as part of my CTI activities, I already monitor several groups, which helps). And there, bingo, I find, as of 2020, the digital footprint of our interested party’s pseudonym (whose account is deleted) within a channel for sharing & selling data leaks and illegal website intrusions using this retrieved data.

Telegram channel where our individual’s pseudonym is mentioned

After painstakingly tracing several of his messages (deleted account), I noted and translated them. Since the group was Russian-speaking, our interested party communicated in Russian. Here are some of his messages posted in the Telegram group in early 2020 :

  • I can sell origins if anyone needs them.
  • Guys, are there any scammers in Saint Petersburg? I need to find a bastard for $$.
  • I have an account with a new batch.
  • I’m offering my database of accounts, over 5k, already verified accounts.
  • This account got deleted to hide the ID block. Damn scammers, may they burn in hell. By the way, who wants to buy bitcoins 1 ruble for 1000 bits xD.
  • Hey. Have a lot of people worked with Private Keeper? Why does it say “damaged” on all the projects. I’m already waiting for the 15th project, I only started learning it today.
  • What’s this? A link? I have a dedicated server more expensive than the license, why skimp on it? But it doesn’t work with the projects I’ve launched, no matter how hard I try.
  • My eyes are still lost among the buttons. Send me at least one project, I’ll check it. Public? Okay, I don’t know yet.
  • What are these prices? I sell them for 8.5 each. I’ll buy valid MYR. Hey.
  • I’m selling valid Instagram requests, 30k. Send a private message. I can sell a mega +4k.
  • Guys, how can I retrieve passwords in Firefox Thunderbird and extract them?
  • I’m looking for data for Canada, anyone selling? A
  • re there currently effective programs for Amazon, eBay, Walmart, etc.?
  • I’m looking for someone who sells Canadian data. Who knows how to restore accounts from logs?
  • Guys, who wants private stealer logs. P.S. Free. Lots of logs.
  • Who wants private Steam logs ❤️ for free, I’ll give 30–40 logs for 100 rubles, clean. Urgent.

As you can see, all of this is better than Marcel Proust! 😍 (famous French writer for those who might not get the reference…)

Another search on the subject of our interested party’s pseudonym lands me on an article from Microsoft (dated: early 2010s) where a backdoor was communicating with several domains and ports. Our interested party’s pseudonym was part of the domains contacted by this infamous backdoor.

Well, here I admit I’ve hidden quite a few elements from the Microsoft article, but it’s worth considering that among this list of domains and ports lies one domain composed of our interested party’s pseudonym.

In the pursuit of this second pseudonym, I finally have some news. I find a link to pbase, a website for publishing photos online. Our artist had posted some photos of his city in Morocco there.

The artistic soul of our individual (I know, you can’t enjoy it) accompanied by an interesting tidbit at the bottom.

After getting my fill of landscapes (well, mostly metadata analysis tools, which didn’t teach me much), I spot a little gift at the bottom: his email. Obviously not the one he uses to send out the Amazon jackpots, but his personal email. I make a note of it.

Another search on the pseudonym leads me to something even more interesting: a new pirate site. On this site, BreachForum, a mysterious individual had deposited in mid-2023 a database leaked in March 2021 from another pirate site named Carding Mafia. (That’s a lot of pirates 🏴‍☠️).

Mid-2023 deposit of a Carding Mafia DB leaked by an anonymous individual

And, in this deposited database, we found our individual’s famous pseudonym associated with a new email belonging to him. He sure has a lot of emails! (I’m not done with my surprises yet). This email is quite suggestive. Just to give you an idea, it looks something like this: data-sales@****.com.

It’s also worth noting that I found his phone number and home address on the Moroccan Yellow Pages by searching for his “first name + last name”.

Moroccan Yellow Pages

I also found his Instagram account. Actually, it’s one of the few currently active social media accounts I found for him. I note his date of birth, skills as a “white hat” or even as an “affiliate marketer” that he displays in his bio.

His active Instagram account

Finally, I found two old Twitter/X accounts of our “White hat”.

On the first account, there’s only one tweet from 2012 where he invited us to click on the link to a WordPress plugin. In November of the same year, a non-profit organization in computer security warned that this plugin was vulnerable to a SQL injection attack.

His 2012 tweet with a link to a vulnerable WordPress plugin

Using his first and last name, I then bounce to a second Twitter/X account belonging to him. I note a new pseudonym (the third one so far), previously unknown, and following several cryptocurrency accounts, including BTC-E.

His second Twitter/X account

A Blackbird search on this new pseudonym leads me to new elements.

Firstly, a Pinterest page (photo sharing) with a link in the bio.

Pinterest page linked to the 3rd pseudonym

An online analysis of the link quickly tells me that it’s not friendly to those who click on it.

Analysis report of the link found on the Pinterest account

Finally, I find our friend’s account on the ImageShack website (an image host). And the two images on his account are quite interesting!

Images contained on the ImageShack account

The metadata analysis of his profile picture indicates a date: 2013. The metadata analysis of the GIF doesn’t inform me of anything particular, except that it has the specifications (size and weight) to fit into the body of an email. Furthermore, the site indicates that the GIF below was imported in 2019.

Amazon GIF — Spin the wheel, it’s super fun! (for the person who owns the wheel, of course)

By the way, don’t we already know this famous $50 Amazon giveaway game? Oh yes!

GIF hosted by pseudonym 3 on ImageShack on the left (2019) vs Image received in the phishing email (2021):

Started from the bottom, now we’re here

Furthermore, I note that our “white hat” now hosts his images on a new site: zupimages.

He also takes care to write in very small font under each of his emails (English, French, German, etc.) “amazon does not sponsor or endorse this ad” (legal precaution?).

Is the pirate absolving himself?

While searching for an occurrence of this phrase, I come across the GitHub repository of a Cisco developer reporting in a file named in Latin “Text cisty homo fraudis,” which could be translated as “Text about the pure fraud of man,” a bunch of phrases relating to a fraud context.

Text cisty homo fraudis
“In this message, be vigilant. Similar messages have already been used as a means to steal personal information. If you don’t trust the sender, don’t click on the links or reply by providing personal information.”

So, I refocused on his emails. Remember, I identified 3 belonging to him. The first one he uses for his phishing campaigns (@gmail), the second one found (and indexed) in a data leak of people registered on the pirate forum Carding Mafia, and the third obtained from the photography blog.

To do this, I simply checked websites that anyone can access to verify if their personal data has been compromised as a result of data breaches. (“Have I Been Pwned?”, “Intelligence X”, and Telegram).

With the first email (phishing), I identify a password. Typing this password into the search engine leads me to 2 new emails linked to the same pseudonym. I also note them down.

His second email (Carding Mafia) leads me to find 4 leaked passwords, which didn’t teach me anything new.

His third email (photographs of his city) is more interesting. Firstly, because it’s one of his personal emails. Then, because I identify 6 leaked passwords on this single email. Out of these 6 passwords, 4 allowed me to pivot to new emails, the other two are none other than… the pseudonyms we found during our investigation. The first pseudonym is the word before his phishing gmail address (the subject of my investigation) and the second is the username he uses almost everywhere, which allowed us to find so many elements belonging to him.

I found other emails belonging to him, and by pivoting around these new emails, I found more passwords. After pivoting extensively around his passwords and emails: I identified a total of 23 emails, 57 passwords (including 37 unique ones), and 6 pseudonyms belonging to him.

The various digital identities found about our “white hat”

Thus, I note a faulty OPSEC from our apprentice sorcerer, due to:
-> A grotesque reuse of his passwords on several of his emails. He often adds a special character to a password reuse.
-> Passwords mostly very short, or linked to other accounts or pseudonyms belonging to him.

It’s also interesting to observe where these data leaks come from. These sources allow us to learn more about the person’s profile. In our case, the leaks reported by online databases came from several popular hacking forums (hackforum, breachforum, blackhatworld, cracked.io) but also from LinkedIn, Twitter, Deezer, or even electronic wallet or cryptocurrency services, and even a dating site.

In this regard, I found two matches on his date of birth (day-month-year) between different emails from various data leaks: a dating site (left) and a cryptocurrency service site (right). The same one he mentioned on his Instagram.

Information about his date of birth

One of his emails (gmail) caught my attention. The Epios tool allows me to learn that this email underwent a data leak in 2017 from the Onliner Spambot website. This could potentially be the address he registered with on the platform to spam his massive phishing actions.

Analysis of one of the Gmail accounts by Epios

Additionally, two of his email addresses had their passwords leaked from the same database of the BTC-E website.

The first email address is pseudonymized. The second one is in his name. The password used for these two addresses is the same, and it was also one of his usernames…

One of the sources of the leaks is the cryptocurrency site BTC-E.

It is highly probable that he used the first “anonymous” email (gmail) as a receiver / storer of the fraudulently obtained sums during his scams (or even as a payer of sums for the purchase of leaks) before transferring them to his real BTC-E account, on his second email address (hotmail) where he is registered on this site with his personal identity.

Summary of the personal information identified about the person who attempted to phish me 🎣

Name
First name
Date of birth
Occupation and company
Phone number
Home address
23 email addresses
57 passwords (37 unique)
6 pseudonyms
12 social networks

Finally, I mapped the most important elements using the osintracker mapping tool.

Mapping of the most essential elements for the investigation on Osintracker

Tools & methods used :

Google (dorking)
Epios https://epieos.com/
Sherlock (username) https://github.com/sherlock-project/sherlock
Blackbird (username) https://github.com/p1ngul1n0/blackbird
Telegram, Instagram, Snapchat (social networks)
Exif tool (image metadata) https://exif.tools/
Have I Been Pwned?, Intelligence X (leaks database)
Osintracker (mapping) https://www.osintracker.com/

Thank you for reading!

--

--

Responses (1)