Security online Archives

Adults Contacting Minors Online

Adults contacting minors online for the purpose of sextortion or meeting up for sex continues to be a big problem. Federal investigators believe there are more than 500,000 online predators active each day and they all have multiple online profiles. The ACM’s (Adults Contacting Minors) attempt to groom their minor victims, one step at a time. They start by making a connection. Next, they spark conversation, and then try to lure them in by sending a provocative photo of themselves. For most, the end goal is to meet for sex. In some cases, they are satisfied by either video chats or even exchanging of photos. More than 50% of victims are ages 12 to 15 and 89% of victims are contacted by a predator through a chatroom and instant messaging.

Most ACM’s have a level of confidence in this because currently it Is underreported. There is a sense that the ACM is “anonymous” online with no way to find out who he really is. This makes it almost impossible to catch them. With the help of great organizations like SOSA (Safe From Online Sex Abuse), whose goal it is to raise awareness and combat abuse, they are making some headway.

Recently the organization created a documentary on this subject that every parent should watch. It is called Undercover/Underage. Roo Powell is on a mission to expose the dangers of and prevent online child sex abuse. She works together with her nonprofit group, SOSA to set up aliases to engage with child predators. She works with law enforcement and professionals in the field. Over the course of the documentary, Roo transforms herself into several 15–16-year-old personas. It is no easy undertaking to make 30-year old’s look (Roo) and act like a 15-year-old minor. However, she pulls it off. She has done her research and understands the behavior, likes/dislikes of an average teen.

Alias Creation (aka Sock Puppets)

Setting up and creating a fake profile requires a lot of upfront work. Because this may lead to a video meeting or even an in-person meeting, everything must jive. Using the same username is critical across all platforms.
Creating a community of “friends” to make the profile look believable.
Photos – hiring a professional photographer who specializes in photo editing. The photographer in the documentary works in the fashion industry and is great at identifying and removing any age regressing features. The goal is to make her look like a teenager.
The use of hashtags is very important. Teens will use hashtags – #freshman, #15yearsold, #mixedgirl, #daddyissue, etc. The more the better to get the right kind of attention online.

OSINT Work

One thing that I found to be interesting as I watched the documentary, is how the team used OSINT techniques every step of the way. They used the “Leave no stone unturned” strategy to try to ID the guy. In one episode, the ACM loved to talk about himself. He talked about his work history, his hobbies, the fact that he has 4 kids, etc. The team is shown searching all of it to connect the dots and find out information about this guy online. He’s a pro however- he knows what he is doing and is careful. Just one small little crumb could be enough to point them in the right direction. The average person has no idea how much information is housed on the web. It could be an old press release that has been forgotten about that names him. Or it could be an obituary of a deceased relative that includes the name of the ACM. Anything is possible and that is why it is important to take the time needed to search.

The group also uses Honey Pot computing to lure in the ACM. A honeypot is a decoy computer system for trapping hackers or tracking unconventional or new hacking methods. In this case it is being use as a lure to try to identify the ACM’s IP address. For this case, it is being populated with the teen girl persona’s photos, poetry, etc. On the backend of the site there is an activity log. This lists out the visitors of the site. From that IP address, one may be able to identify the location of the ACM, if they do not use a VPN of course.

Keeping Up With the Apps

It makes sense that teens are more inclined to use apps. Apps allow users to share photos and videos with their friends through their mobile device. The documentary mentions a few sites/apps you may not have heard of before.

boardgamegeek.com :This site’s database has more than fifty thousand board games along with their developers and players. The games themselves are linked to users through lists called GeekLists, along with owned/played/wanted etc. connections, ratings, reviews, session reports, and so on. It has a forum which has some search capabilities. Good to keep in mind if your subject is a gamer. Search by location and then by name.

Online chat groups, Message apps, Gaming apps, make it easy for a predator to make a connection with a minor online. Interactions can easily escalate to “sextortion”, in which minors are coerced into sending explicit imagery of themselves. According to a New York Times recent article titled, “How to Protect Your Children From Online Predators”, the following are the ones to watch closely

In summary, the team uses outstanding critical thinking skills along with online research to try to identify the ACM’s. Some fall through the cracks, but in some cases, she does provide enough evidence to law enforcement to “take it from there”. It is not an easy task, and it really takes a thick skin and a strong stomach. Some scenes show Roo emotionally drained from the experience of playing out conversations with child predators. But in the end, it is her deep desire to help the kids. If she can get one or two arrested, she has done what she set out to do.

Venmo Tightens Security For Users

Back in May, we posted about Venmo, the app powered by PayPal that allows users to easily send and receive money. What surprises many people, is how public the app is. To date, you can find just about anyone on the app. Not only can you find their profile, if it is set to public, you can see who they are sending money to and sometimes why.

How Venmo Works

This person-to-person app allows you to easily send or receive money from friends, family, or co-workers. Simply click on the “Pay or Request” button, type in your friend’s email, phone number, or username. You can also scan a QR code from the app if your friend is nearby. Venmo is also free when you link your bank account to the app.

It recently drew a lot of attention when someone noticed several members of the Biden family on the app. It brought attention to the security of the app to everyone.

eMarketer.com published a recent article outlining the changes. “PayPal-owned Venmo will introduce new fees and updates to its platform that’ll give users more control over their accounts and add an extra layer of protection for some transactions, per Android Police.”

Privacy Changes for Users

“Privacy and security updates: Users can now change the visibility of their friends list to public, private, or friends. They can also opt out of being seen on other users’ friends lists. And effective July 20, Venmo will expand eligibility for the Purchase Protection Program for transactions sent to business accounts and all payments marked for goods and services by the sender.”
eMarketer.com

It gives the user back the power in terms of who they want to view their information. Some people may view the app as secure since it is a go between your bank account and your venmo account.

Venmo & Social Media

The Washington Post recently published an article about how one user used Venmo to collect money from strangers. Think of a “Go Fund Me” Venmo style. Here are some unique stories of how people use Venmo for crowdfunding:

When Kori Roy was heading out on the final leg of a road trip to celebrate her wife’s 29th birthday in April, she decided to add a message to the rear window of her Hyundai: “Help us get to New Orleans!” she wrote, adding her Venmo and Cash App accounts.

TikTok and Venmo have been a match made in heaven. Many TikTok users were using Venmo as a source to fuel their road trips. People have been using the app to ask for money for all kinds of things. The image below is an example.

Anytime money is being exchanged, one needs to be cautious. It seems for now anyway, there is a level of trust people have with Venmo. Maybe because it is a PayPal app and PayPal seems more secure to most people.

However, there are scams to be aware of. Unlike credit or debit cards, once money has left your account it is gone for good. it is almost impossible to recoup the loss should you send money to a scammer.

Employee Fraud in the Digital Age

In today’s digital world, employee fraud and theft is up and can cost a company a lot of lost revenue. This is an area in which a Private Investigator can be be very valuable to a loss prevention department.

A recent article in the The Atlanta Journal-Constitution reported two employee fraud investigations.

“Home Depot just caught an employee who stole over 100K in electronic gift cards. “Said accused did, between January and November 2018, use his position as a Home Depot employee to send E-Gift cards to email accounts that he set up himself, or were provided to him from a third party, in the amount of $156,330 U.S. dollars,” the arrest warrant states.”

“A teenager was arrested after he was accused of stealing nearly $1 million from the Kroger store where he worked. According to police, 19-year-old Tre Brown created more than 40 returns for non-existent items in December and January, including lottery tickets that were never sold, spokesman Cpl. Collin Flynn said. Those returns, which ranged in price from $75 to more than $87,000, were then placed on several credit cards, investigators said.”

Benefits Pro, an employee benefit firm, recently published an article on the warning signs.

Employee Fraud Red Flags:

• An employee living beyond their means
• An unwillingness to share duties
• Being under pressure on the job
• Family problems or divorce
• Defensiveness
• Past legal problems
• Refusal to take vacations

According to Certified Fraud Examiners, a typical company can lose up to 5% annually to employee fraud. In fact, the Association of Certified Fraud Examiners conducted a study in 2018 titled, “Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse.” The study included 2,690 known cases. Many do not get reported due to the stigma and bad public relations to the company itself.

The study goes on to reveal some other commonalities.

The overall amount of loss by men is 75 percent larger than those caused by women.
The most common way employee frauds are discovered is via tips.
Internal control weakness is responsible for nearly half of frauds.
Employees committing fraud who have been with their companies longer stole twice as much.
Small businesses lost almost twice as much to fraud per scheme as larger ones.

Deep Web Research

If the investigator is looking for stolen merchandise, then the web is one of the best places to begin. Conducting a deep web search on a person of interest can provide a starting point. Details may emerge that will provide various emails, phone numbers and user names. Connecting the person with online social media groups, market places, Craigs List, and more may provide you an exact place where the stolen merchandise is being sold.

Auto Parts for Sale

We once worked on a scan for an Investigator whose subject was suspected of selling a very unique set of stolen auto parts. The employee had created an eBay account and made the mistake of using a familiar user name. After the user name was revealed in our Deep Web Scan, we turned our attention to the online websites that sell goods to consumers. We were able to piece this information to that of our client’s subject. A huge catalog of stolen auto parts were on display!

The internet has certainly helped employee fraud. With more avenues to sell stolen merchandise, it can be just the right kind of lure an employee needs to do the unthinkable.

Outdated POS systems, computer programs and data storage entry gaps can be additional areas of concern for many retailers. Being proactive is always your best approach to take away the temptation. Smaller businesses may not have the money for a loss prevention department. That is where a Private Investigator can be a valuable asset to your business, specifically one who deals in computer forensics.

Analyzing Social Media Posts

Analyzing social media posts is most likely something you don’t really do on a regular basis. Unless the case calls for it, there is not always a need for it. However, when there is, so much can be uncovered!

Don’t F**k With Cats: Hunting an Internet Killer

If you are a Netflix subscriber you may have seen this documentary. It is one of the best OSINT films out there. The documentary uncovers the months it took a group of online sleuths to reveal a real life killer. During the documentary it is revealed how helpful social media posts were in finding clues to the whereabouts of this criminal. It is graphic, so be forewarned. However, the diligence of these average people is noteworthy. It takes time to really dig and even when your subject leaves clues, it can be difficlut.

One scene in particular focuses on the street lights in a city. The subject posted a photo of himself in social media on a city street. One person recognized the style of the street lights and pinpointed them correctly as being in Ontario, Canada. She was correct, however it took so long to persuade the local police to believe her story, the suspect was already on to a new location.

It is also a great example of how important it is to really look at social media posts.

Social Media Post Threats

When scrutinizing social media posts, carefully look beyond the person in the post. Is there a computer screen or tablet that you can zero in on? What about a clock in the background? Cross reference this with the date and time of the post.

Photos of a person’s home can be important as well. Recently, we conducted a deep web scan on a person who was suspected of selling drugs from her home. We searched for a post that she may have forgotten about online that showed her with the drugs. While we did not uncover anything like that, because she had deleted it all, we did uncover something else.

She was showcasing herself in a very specific Reddit group that served as a an advertisement of sorts linking to an online porn site. In this case, she did not show her face on any of the posts. She did however, take all the photos in her bedroom. We were able to link her bedroom from her public Facebook posts to the bedroom from her Reddit posts. Since this was a child custody case, this was an important find.

Reverse Image and Exif Information

Where possible, reverse image searching and checking exif data can help provide additional information when investigating uploaded images. We explained in more detail what Exif data is in a recent post titled, “Where Was This Social Media Photo Taken?”

Reverse image can be done with a Google Image search or Bing Image search. Some paid versions are Tin Eye and Social Catfish.

The Dark Side of OSINT

After the horrific attack on U.S. Congress this month, many law enforcement people turned to photos on social media and the deep web to locate people of interest and to investigate further.

An article, “The Dark Side of Open Source I ntelligence” warns to be careful when using this method.

“While the use of open source intelligence has been praised by law enforcement and investigative journalists for its crime-solving efficiency, public data can be dangerous when used in haste on social media. The speed that makes OSINT so effective as an investigative tool can also make its use more susceptible to blunders and bias. From terrorist attacks to protests and mass shootings, open source intelligence has led to inaccurate vigilante-style justice and the doxxing of innocent individuals.“

Like everything else online, some is real and some is not. Cross referencing for data accuracy is critically important.

Who is Tied to This Email Address?

We have had a few requests over the years asking if there is a way to search an email address to see who it is tied to. There are actually numerous ways in which to do this on several different sites. Many of them require payment of some kind. You can try basic searches in Google, Bing and Yahoo first, however if you come up empty there, where do you go?

Interestingly enough, data breaches over the years have become an open source researchers’ best friend. In part this is due to the fact that when there is a large-scale data breach, it is often obligatory for the business to provide a site in which a user can check to see if they are part of the breach.

When searching for an email owner, we may want to know if the email is valid. Does it even exist or is it a made up, dummy email? By using some of the resources in this post, you can at least get confirmation that the email is valid. For example, if you discover the email has been part of a data breach, chances are it is a real email address. We can go one step further to say, with a degree of confidence, that it is most likely tied to other discoverable items in the deep web.

Not all data breach sites allow the user to look up another person’s email address. Most want to verify you are indeed the owner of the email address and genuinely want to know if your email has been compromised. There are a few that are not as strict. Two example sites that offer a quick and easy scan are:

Have I been Pnwed?

A quick search here will tell you if the email address has been part of a data breach or not. While it isn’t going to give you any details, it will give you a number of times it has been included in a breach of some kind.

You can see that a quick scan of this email address indicates it has been a part of 5 breached sites but doesn’t tell you which ones. It does let you know that it is most likely a “real” email address.

Avast Email Check

Another site you can try is Avast. This is one of the newest sites that provides users the opportunities to scan for a “friend’s email address”.

Marianne’s email was linked to MySpace, which leads me to think that she had an account at some point tied to this email address. I would search on the site to see if anything still exists in MySpace.

You may also want to try variations of the email address just in case you find closely configured email addresses. Use Google, Bing to search them to see what you come up with.