Why don't you get a job a.k.a Shutting down scammers

Why don't you get a job? a.k.a Shutting down scammers

“Hello, is the Camera still available for purchase? Please contact me on: ….”

DISCLAIMOUR: The addresses and/or IPs might not be used by the scammer at the time of reading , so please don't do stupid stuff.

After listening to some good tunes from The Offsprings I noticed that my phone had a new message notification. No number, it just said gabriela. It was a message about a device I was selling and being in a German speaking country, the message was written in German. I send “Gabriela” a mail and from the start everything seemed legit, a lot of questions about the camera and a request for more pics, the usual deal when people want something shipped rather than pick it up personally. It all seemed fine but then she mentioned that she is in a rehabilitation center after having gone through cancer treatment. Quite heart tearing isn't it?

Knowing now that this was a scam attempt, we can see that they tried the good old “Sad story trick” to make you feel bad and be a bit more cooperative and understanding. After a two days of writing back and forth, I received a mail form her telling me that I should ship it and that her bank would transfer the funds when I send them the shipping confirmation. This Gabriela smells so fishy I could almost taste tuna in my mouth.

I didn't want to include pics of the previous mails as it was in German and it would too long to translate. The mails were written by someone with very good German skills and it was a highly targeted phishing scam. Two gems I received from her "Bank" have to be truly appreciated though. It isn't the legendary Nigerian prince mail, but sure as hell made me laugh a lot.

First Mail

Second Mail

Mandatory risky click of the day!

Let the games begin

We start by checking the mail headers from Gabriela and then the one from the bank for the origin ip. This can be done by reading the mails source and looking for Received: from in the header. We find 2603:10a6:800:120::16 which seems to be located in Chicago. The banks mail came from 2603:10a6:800:4a::13, also just happens to be in Chicago also most likely from same provider.

As the data slowly accumulates we open Maltego and add the information we have gathered so far. Gabriela's step sons information and another mail which I found in a similar message was added . Additionally I have used some of the transforms and it has helped me acquire further data like the hosting provider. 

                             *Maltego makes gorgeous graphs*

Some time passed since they got an answer from me so they send me a message asking what's happening with the shipping, no kind regards, no friendly talk just one harsh sentence. As I didn't wanna tip them off I hoped sending a quick reply with a IP logger link to the package tracking page would give me just what I needed. Best case scenario they are not using vpn or tor and we can find their location. I was lucky and they even clicked twice, but you can't make this stuff up... Of course they are scammers from Nigeria.

My next approach was to get the information about the address and the person I should send the camera to: Michael Dele Ager Avenue 14/6, Dagenham RM8 1EB, UK

Looks like a normal apartment building! It didn't turn out to be some abandoned house or something similar like that as this might lead to something...that something hopefully being stupid scammers.

This might not have been a crazy story but I feel happy to have made the internet a bit cleaner by taking one phishing site down! Next to that i have explored some OSINT tools freely available to most people with a internet connection.

A lot of thanks to BloodyValentine and PingOfDeath for proof reading and giving some good suggestions on what to look up.

https://whatismyipaddress.com/ip/ - Geolocation

http://whois.domaintools.com/ - WHOIS lookup site

https://www.paterva.com/buy/maltego-clients/maltego-ce.php - Maltego CE

https://www.shodan.io/ - IoT search engine

https://www.google.com/maps/ - Google maps and street-view

https://de.wikipedia.org/wiki/Header_(E-Mail) - what are email headers