Hey, guys

how are you doing?

Last year there was a situation where a guy tried to get my money by stealing my credentials for a payment service by using a phishing mail and after he noticed it didn’t work he tried to social engineer me.

With this topic, I want to show you guys how important and dangerous OSINT can be in real-life situations.

Phishing mail

At that time I was selling my car. All of a sudden I got a (great configured) email to a fake PayPal that I almost used. I stopped because the design of it was a little bit too pixelated. So I deleted this email and was waiting for a real sell.

Sorry that I don’t have a screenshot of the content of it.

Social Engineering

A day later the same email address contacted me again.

Mario peer ***************@gmail.com

I just received an email from PayPal that Legal action will be taken on you at any moment from now, why did you fail to make the transfer of information to the shipping agency and your inability to convey this money means that you will have a problem with them and they know how you are going to track you down.
I want you to understand that all your money has been deducted from my account and waiting to be transferred and activated on your account, but you must first send the fee and return shipping agency in responding to the PayPal confirmation email from them with the GT you have received obtained by money gram, after you must have sent the charge carrier. I hope you understand better now and I hope you can go ahead and make the transfer if you do not want Problem. Here PayPal is the information of the information carrier, once again, where you are going to send the shipping fee below. check your spam email and junk for the confirmation from PayPal.

Name: Wale Joseph
State: Oyo
City: Ibadan
Zip: 23402
Country: Nigeria

Here is the information you will need to send to me as soon as you get it done.
Receiver’s Name
Money Gram, Receipt
Reference
Amount Sent.
Await your response
I will be waiting to read from you regarding the transaction.

Nice doing business with you

The things I didn’t like in this email:

1. Location
2. Name
3. Already paid???
4. “if you do not want problem” - really?

Okay man. So here I wanted to show this fraud who really does have a problem now.

The Counter

So I followed the PayPal link. It redirected me to his domain. I also took a look at his Gmail-Account. There I found interesting information which I used to do some OSINT.

At some point, I found how this guy looks like. Here is our guy:

< his picture >

After searching a little more I was really surprised…
This dude already has his own house!

< picture of his house >

I found almost everything about him. Here is the small list of the things I found after 4 hours of OSINT:

Name: Galih *********
Birthday: *****************
Location: J*******, Indonesia (West-******** (Provinz))
Home: *************** V no.******* J*******, *******************.
Pictures:

• <link1>
• <link2>
• <link3>
• <link4>
• <link5>

Accounts:
Gmail: **************************************
Twitter: **************************************
LinkedIn: ************************************** (since March 201*)
Instagram: **************************************
YouTube: **************************************
Facebook: **************************************
Twiblue: **************************************
Soundcloud: **************************************
Userscripts-mirror: **************************************
Blog: **************************************
Site: **************************************

Shop: **************************************
Location: ***************** II No. **** Duren Sawit *********************.

Phone:

• (021) 8*** ****
• (021) 8*** ****

Whatsapp:

• 0812 **** ****
• 0812 **** ****

Jobs:
20** - now: Computering and networking technical by ********************* (SEO Specialist)
20**–20**: ******************
20**–20**: ******************************
20**–20**: *****************
20**–20**: **********************

Group: *********** ************* User Group
since DD.MM.YYYY
<link>

Activities: *********** Festival as DJ <date>
<link>

…

So at this moment, I knew who he is. I answered him to his email. And here is how the conversation ends:

Cry0l1t3:

Dear Mario Peer (Galih *******),

sorry that I didn’t complete the transfer. I have to work a lot. So I want to apologize and tell you that you have a nice Shop (www.lo********.com) in *************** II No. 62 Duren Sawit - *********. I am very interested in the articles that you sell. I also like DJ stuff and the Pioneer DDJ-RZX mixing desk. I paid roundabout 3.000€ for it too. Not to forget the number 57 is my lucky number. I also have 4 trees in my garden. What are the odds! You’re a really likeable guy. But I am desperately disappointed by you. You should be answerable for this kind act with really good liberally bounty to me. My Mixing desk is broken and I want to buy a new one.

I hope you are happy with my answer.

Have a nice day

Sincerely

Galih:

The payment has been made and the money has been deducted from my account and it’s on its way into your account but the money would be pending until you have sent the sum of 400 Eur through Money Gram to the address of the shipper giving to you so that they can come for the pickup and then send the necessary money gram information to pay pal for Verification. . You should understand what I mean so kindly bear with me. Once the money gram information is received from you, the sum of 4,930 Eur would be released into your account. Get to mail me back soon.

Thanks

Cry0l1t3:

Sorry, I forgot to congratulate to your passed birthday at ************
How old did you become? 20?
Its a nice job position at ************* as SEO.

Good luck

Galih:

???

Cry0l1t3:

Your pictures:
<link>
<link>
<link>
<link>
<link>
<link>
Your girlfriend:
<link>
<link>
<link>
Your Shop:
<link>
<link>
<link>
Your friends:
<link>
<link>
<link>
<link>
Your family:
<link>
<link>
<link>
<link>
Your Accounts:
<link>
<link>
<link>
<link>
<link>
<link>
<link>
<link>
<link>
<link>
<link>
<link>
Your Career:
…

And so on. Unfortunately, I never heard anything from him anymore.

Please, make sure you know what you’re sharing.
Keep calm, guys.

Ahaha this is sweet justice.

If you’re going to try and scam people you should increase your opsec

It’s really sad since a lot of people share their Skype usernames and sometimes use their email that’s connected to their Skype account. lol. Rather amusing.

That was sick He got what he deserved. A bit weird though that he used his own gmail account. Or was it not his own?

Exactly, haha. Could be taken one.

It wasn’t his main Gmail-Account. But I found this one too.

Haha. This is great. You should post it on 419eater (it’s a site that baits scammers like this guy).

https://www.419eater.com/

Vengeance is a little harsh? @Cry0l1t3 should’ve ordered pizza to his house.

This is amazing haha

I must say this “OSINT” power you mention, comes with great responsibility. You can’t just do a bit of googling on some artifacts you found and then put a target sign on whatever comes out of your little research. This toxic behavior is a serious issue within the infosec community. We think that we are the 1337 guyz that can overpower them little silly fraudsters. While those “silly” fraudsters oftenly use mature accounts (meaning accounts that are actually used by real people and have legitimate history & activity) in their frauding. I urge admins to be responsible and remove this post in case of false accusations to some innocent person. We don’t possess the judiciary power, if you have reasonable doubt and evidence against someone resort to actual LEA’s rather than pulling out a post modern inquisition here.

I think that @Cry0l1t3 has removed enough PII to make this acceptable.

It’s not like his posted his full name and address, with a full dox, it’s all redacted.

The funny thing really is the conversation he had with him, and how easy it was to do. I do not think from the evidence the adversary here is particularly advanced, and I don’t think @Cry0l1t3 is setting up a witchhunt of any sort. Thank you for voicing your opinion though, it’s so good to have people that can disagree and still be civil

Sorry but I have to drop that line:
“Great power always comes with great responsibility.”

First off thank you for inciting the disagreement. Free speech is amongst the most significant values one community can have. I hope I did not cross any lines or offended someone in my last comment.

I feel like I must elaborate on my thoughts which seems like an overreaction
I work in the field of cyber threat intelligence. You already know that attribution of cyber attacks is really really hard and some even say that it’s impossible. That’s APT side of the story but unfortunately it doesn’t end there. Some part of my job involves tracking “underground” hacking/carding platforms and communities (yes they also have communities ) which are responsible of many of the cyber crimes conducted out there. Most of the times what I see is that these people’s technical skills are not particularly advanced. But they’re actually more clever than what most of us have thought. Actually they cover the gap of technical shortcomings with their cleverness. Carders in particular use some of the most unconventional methods and countermeasures I’ve ever seen. I can give you some anecdotal examples but I recommend you to go and see for yourself. I’ve experienced by first hand that attribution, even in the simplest cases can get really tricky and messy.

Second thing I would like to point out is that those photos of the guy and his house are considered PII even though his face is blurred. That’s because his friends and relatives can identify him even when the face is blurred, and that photo of his house may give out exact location. I know this because my wife is a lawyer, but I’m from a different country so laws are probably different yet similar.

I really see what you mean. Attribution is absolutely woefully difficult.

And carding is another industry completely, there are so many facets to it. In fact, I know for a fact there ex-carders turn good in this community and have spoken at length about certain things.

From my perspective, it seems that this is just a normal Paypal scam, trying to get money rather than credit card details. I wonder if that would change the attribution thing at all? I don’t know.

I do definitely see what you’re saying. Perhaps it would be a good compromise to remove the picture of his house or perhaps the picture of himself completely? Maybe the logo’s on his tshirt? What do you think?

@Cry0l1t3 any suggestions?

@Cry0l1t3 I know that you actually meant no harm. Although I still agree with the context of what I said, my tone in the first comment seems like a bit aggressive. Sorry if I made you upset in any way I just really don’t want this community to be affected by industry’s toxicity (not that its what you’ve done here).

I believe removal of these would be necessary atleast:

You see most of them are already redacted but you assemble those pieces of information it gets easily tracable. I believe a couple hours of OSINT work will be sufficient to back trace these information.

I think just stating the nature of the dox rather than the exact details might be a good point.

I’ll leave it to @Cry0l1t3 to make his own mind up on this for now. I’m sure there will be no problem.

Thanks @pry0cc.

Hey @hunter, don’t worry there is no problem because of your opinion. Thanks for that I appreciate it. The most important thing in the whole area of OSINT I see that there are very few things we can talk about because of the facts you already said. At the moment I am working with lawyers in the area of InfoSec. They say that all information you share on the internet is public accessible and every user knows that and accept it. So with this acceptance every user gave his permission to reuse his shared information. On this point we should ask ourselves: “why did he share this photo?”
My answer will be: “To let the people(on the internet) see, that he was there.”
So he wanted that people see him. There is no violation of reuse. The problem what we are talking about is the connection I presented between him and crime activities. Because it could be a reputation damage what I did. On the other hand I can prove this activities if it will be needed.

I know exactly what you meant and I am totally with you. With this post I just wanted to show and remind our community how powerful OSINT can be. I agree, I should paid more attention for “retracking”. I removed the pictures to make sure there won’t be any problems with the PII.

Cya,
Cry0l1t3

I think the big problem that @hunter is highlighting, not sure if I’m missing the point here, that some people purposely use fake information in order to mislead.

And so if attribution wasn’t accurate, you could be starting a witch-hunt on somebody that was completely innocent. It wouldn’t be the first time that somebody made a fake account using fake pictures and information.

Anyway - we got it all sorted so everybody is happy I love this community

Another thing we commonly encounter when tracking phishers/carders is that their domain is bought by a 3rd party (usually the owner of some amateur web hosting/seo business) and whois information leads to business owner’s accounts and not the phisher himself.

I think I should point out that while the photos have been removed from the main post, the photo of the house still seems to be in the quote in @hunter’s comment.