Practical open-source tips for tracking global scammers

Most frauds, of course, cross borders. In previous columns we've looked at romance scams, the 419 con and lottery fraud — all of which fraudsters still use to extract money from the vulnerable and gullible. Criminals perpetrate these frauds and many others using the Internet and mobile phones. In this issue, we look at some high-tech open source tools and resources to help fraud examiners track down scammers.

Your residence in the world often determines how much information you can easily and legitimately find. (For example, reverse-phone directory enquiries in the U.S. are commonplace, but they're illegal in the U.K.) Let's look at what's available online.

Martha's tale of artifact woe

So, in a hypothetical case, let's say a victim — we'll call her Martha — comes into your office and complains she's been scammed. Martha tells you she was surfing the web and came across www.lejitinvestments.com, the website for Lejit Investment . (I've concocted the company and domain name.) She tells you she contacted the site and then exchanged emails with a guy calling himself John Smith.

She says that after several email messages she gave him her mobile number. He called her and told her about an excellent investment opportunity in rare Peruvian artifacts made of Chavin stone that only occasionally appear on the market. Martha says that Smith told her that he had two of these rarities. "He said that if I invested in one I could get the second one with a 30 percent discount, and I would double my money in less than six weeks," Martha says.

She says John explained that because of the artifacts' rarity they had to be kept in a locked safe in a secret London location, but he'd arranged to bring one to the Dog and Duck Pub to show her. Martha says that John told her his company had a special license to export the artifacts from Denver, but if they weren't sold in the U.K. in the next five days they'd have to go back to the U.S.

Fateful pub meeting

Martha met John at the pub and gave him £6,000 cash, and he gave her a certificate of ownership. John told her that he would keep the artifact safe for her. (She doesn't realize that he's already sold the same artifact to scores of other victims. It costs him almost nothing to print up another 20 certificates.) Martha took a selfie of herself and John holding the certificate.

She took the certificate, but after she spoke with a friend she began to have suspicions about the transaction. Martha has unsuccessfully tried to contact John. The victim has a photo of John but nothing else to go on. What could you do to help Martha?

First, you want to discover what you can about the culprit's website. (I encourage you to practice the following investigative methods using your own details. You might be surprised at what you find.) On John's site, you right click your mouse and go to View Page Source or View Source in the dropdown menu. This gives you the XHTML or similar code for the page. In that code you can find a website authors' "remarks," which can contain further clues for tracing fraudsters.

Next, you go to https://who.is or similar places such as NirSoft's IPNetinfo and you find that the site is actually registered to a "Tom Davis," possibly an alias or Smith's actual name. You might also get an address and telephone number.

Investigating emails, phone calls and the 'pitch'

Email exchanges might reveal a little more information. Different email programs have varying ways to unmask hidden headers. In Gmail, open the email message from John to Martha, right click the black triangle next to Reply at the top right of the message pane and select Show Original from the dropdown menu (or in Outlook, select Options and then Internet Header). Several articles provide detailed instructions on deciphering email headers. (For example, see the Gmail help article, Reading full email headers.)

In the email header you find John's IP address, which you plug into https://who.is and find his email address.

Next up is investigating where the mobile phone number originated. Unfortunately, the fraudster probably used a disposable pay-as-you-go phone (or "pay as you throw," as I call them), so it's unlikely you'll discover any useful clues. Again, in the U.S. and some other countries you might try a reverse phone site.

Now let's look at Smith's pitch. Google, of course, is a fine search engine but don't forget Dogpile, DuckDuckGo, Cluuz or Wow. A search of "rare Peruvian artefacts" (with the British spelling of "artefacts") on Cluuz.com brings up two articles on their smuggling along with indicted suspects' names with links to the U.S. Immigration and Customs Enforcement Newsroom page. (See "Figure 1: Search results on ‘rare Peruvian artefacts' on Cluuz.com" and "Figure 2: Relationship cluster chart on "Peruvian artifacts found in smuggling investigation" on Cluzz.com" below.) The articles contain the reporters' contact information. You can also do an advanced search for "John Smith, rare Peruvian artefacts" on Cluzz to receive a detailed relationship cluster chart.

Selfies can tell stories

Let's look at Martha's selfie. Use Google facial recognition software or those on several other search engine sites. Open Google and select Images at the top of the page. A small camera now appears on the right side of the search bar. Click on it, and upload the photo or enter its URL. Google will provide similar images, many of which will have attached Geo data. Right click on the image and select Inspect Element, View Source and Properties from the dropdown menu.

When we upload the image of the "rare" artifact we find additional images of the same object for sale for $100 from a U.S. auction house. Martha's treasure is almost certainly a cheap fake.

Meetup clues at the pub

Next, the meeting location. Why would Smith want to meet at a pub? Is he local to that area? Does he have contacts there? There must be a reason for meeting at that spot.

Before you visit the pub, first research for any other possible photos that might contain Smith. Then show the selfie to the pub's owner and others in the pub. Be cautious in what you say. Check to see if any pertinent photos or tweets originated from the pub. Go to www.echosec.net, type in the pub's address, select an area and search the photos to see if any match our subject. You can do the same at www.jotpix.com and www.flickr.com.

(A word of warning for parents: your children's innocent mobile phone photos of their bedrooms or your homes and gardens could be communicating intact metadata identifying their locations. You can disable location services on your children's phones, and you can remove metadata: right click on images, go to Properties and from the Details heading select Remove Properties and Personal Information.)

Searching aggregate social sites

You don't find any photos matching John, so it's time to search some social networks. Individual searches of Facebook, Twitter, LinkedIn, Foursquare, etc. can be time-consuming. Search multiple networks at www.socialsearcher.com, http://knowem.com, www.socialmention.com, www.peekyou.com and the fee-based service www.spokeo.com. Social Searcher, for example, will search the most common social media sites and display postings and photos from or about the target of the search.

You find that John is connected with some sketchy characters who have prison records (you check public court records) or have dubious relationships with others who do.

Deep into the web's bowels

You might also venture into the deep web or even the dark web to search for John's possible other crimes. To begin, download the free TOR bundle. (TOR is an acronym derived from the original software project — The Onion Router. The metaphor describes the web as an onion with many layers; conventional search engines only peel back the outer layer.) You can now search for addresses with ".onion" as a top-level domain suffix, which you wouldn't be able to find via regular search engines.

For example rrcc5uuudhh4oz3c.onion takes you to an anonymous forum called Intel Exchange. (Although, Intel Exchange is now so popular it's on Tor2web, which allows its users to access Tor Onion services without using Tor Browser.)

TOR contains potentially criminal sites offering contraband false passports, guns, drugs, pornography and stolen credit card data. (But beware. Fraudsters have constructed bogus crime sites to scam the gullible because they know they won't report their illegal activity to law enforcement.)

We can learn a lot about fraudsters' methods by viewing their TOR websites. We also have to learn the latest in open-source sites and technology to find criminals like John and discover their techniques and haunts.

A little closer

So, in this hypothetical case, you've been able to gather extra information on "John Smith" that Martha could use in her complaint to law enforcement. You might have enough to track him down in his residence or workplace.

I've listed just a few online investigative methods. Please send me an email with your favorites, and I'll make sure the best are posted on the ACFE's General Forum.

Tim Harvey, CFE, JP, is director of the ACFE's U.K. Operations and a member of Transparency International and the British Society of Criminology. His email address is: tharvey@ACFE.com.