An OSINT Analysis of a region focused job scam
Based on one of our recent internet-wide scans using the spiderSilk platform called Resonance, we identified many key companies operating in the same field that share the same website template and content, but only logos and contact information differ. This was really suspicious! Due to this, we went deeper in our investigation around this finding and uncovered a significantly diverse & broad scam network.
In this article, we will explain how we uncovered the scam and then walk through our analysis.
Disclaimer: In this research, we are providing information about the infrastructure and modus operandi of malicious actors, no personal information was exposed.
Table of contents
- Resonance
- Search engines
- Passive DNS
- Reverse Whois
- Expanding the scope
- Identifying all internet domains that are using hostnownow.com as their Name Server
- Identifying potential scam domains
- Targeted geolocations
- Is this just a "job scam" network targetting job applicants exclusively?
The SCAM
Let’s first walk you through the scam and how it is normally played out. Below are examples of legitimate and fake websites that we have identified, notice that fake company websites are clones of legitimate websites.
Legitimate companies |
Fake companies |
Gulf Energy SAOC: www.gulfenergy-int.com |
Gulf-Shore Energy: gulfshore-energy.com |
HEISCO: www.heisco.com |
Sheikh Mussafah Oil & Gas Group: sheikhmussafahoilgroup.com |
Travco UAE: travcotravel.ae |
E-Help Consultancy & Migration Services-UAE: ehelpconsultant.com Royal Route Travel Agency LLC: www.royalroutetravel.com Iconique Immigration Services LLC: iconiqueimmigration.com Pan-Emirates Immigration Services LLC: panemiratesimmigrationservice.com Tour Solution 4U LLC: toursolutions4u.com |
Adventure Leisure Tourism: www.altdubai.com |
Duram Travel Agency: duramtravels.com SummerLink Travel and Tourism LLC: www.summerlinktravel.com |
Galaxy Insurance Brokers: www.galaxyinsurance.ae |
Umbrella Insurance & Underwriters LLC: umbrellainsurancellc.com |
Gulf Energy SAOC (website: www.gulfenergy-int.com, employees: 1025 ), an affiliate of National Energy Services Reunited (NESR), is a well-known oilfield services company in the Middle East and North Africa regions.
Gulf-Shore Energy Petroleum LLC (website: gulfshore-energy.com/) is a non-existent company using Gulf Energy SAOC website content:
Let's dive in and understand the reason behind the creation of the fake websites.
On LinkedIn the search for “Gulf-Shore Energy Petroleum LLC” (the fake company) was unfruitful and we didn’t find any mention of it.
On the other hand, searching for the “Gulf-Shore Energy Petroleum LLC” on Google, we identified the following job offer:
A non-existent company offering a job is very suspicious, so let’s look up another fake company: Sheikh Mussafah Oil & Gas Group (sheikhmussafahoilgroup.com) to get more insights.
By searching for “Sheikh Mussafah Oil & Gas Group” on Google, we found that one of the first results to appear is a career page where job seekers can apply for jobs.
We also found that this fake company was reported twice on the “Scam Watcher” website (https://www.scamwatcher.com/) as suspected job scam:
Both fake companies appear to be offering jobs. To uncover how the scam takes place, let’s search for the travel agency: “Airfly Immigration Services Abu Dhabi” that was mentioned in the job offer:
As we are dealing with a job offer, LinkedIn would be a very valuable source of information as it is a popular platform for job seekers who might discuss the job offers they have received.
Strangely, there was no company profile for that travel agency on LinkedIn:
While there is no company, we can find posts on LinkedIn, after our analysis, we discovered that the travel agency is fake and is operated by scammers. It also appears to be part of another job scam this time branded as “SHEIKHZACDIC OIL AND GAS COMPANY www.sheikhzacdicoil.com. They asked their victims to pay fees ranging from 2 to 3 thousand dollars to cover the “Immigration Services” for the individual or for the family.
So let's recap: scammers target job seekers by creating fake company websites and offering high salaries to candidates without an interview, and then ask them to contact a fake travel agency (that is also operated by them) for the acquisition of visa and health insurance, which will request a payment for the visa and travel fees.
Job scams
Job scams occur when criminals trick victims into thinking they have gotten a job or promise them a job by posing as employers/recruiters.
Scammers take advantage of their authority as potential employers and ask their victims to either transfer money so they can manage their visa and health insurance, or provide them with their personally identifiable information.
According to the FBI's Internet Crime Complaint Center, 16,012 people reported being victims of job scams in 2020, with losses amounting to more than $59 million.
What is the impact of job scams?
The impact of job scams varies depending on what the scammers get from their victims.
Typically, job scammers are interested in two main things:
-
Your money
-
Your personal information
The impact can be a financial loss if the victim only transfers money. But providing personal information such as photo ID or driver's license, bank account numbers and account information, social security number, home address, and phone number may result in identity theft.
How to protect yourself from job scams?
The following are tips to help you avoid getting scammed:
-
Always do an online search: search the company name, the employer, or the recruiter on Google (plus the word ‘scam’, ‘review’, or ‘complaint’), LinkedIn, and Scamwatcher and see what pops up
-
Don't trust a job offer that sounds too good to be true: big pay for minimal skills
-
Do not pay for the promise of a job: if you are asked to pay visa, relocation, and insurance costs then it is mostly a scam
-
Reject offers that require no experience
-
Do not provide your bank details to a potential employer: the legitimate employer will only ask for your bank details after you officially join the company
-
Do not accept an offer when you did not apply: In some cases, you may receive an email or phone call stating that you are hired for a job for which you did not apply, this is definitely a scam
-
Do not share your social security number or other PII that may be used to access your accounts with anyone who does not need to know this information
-
Connect with the company: When you see a job posting on social media purporting to be from a company, you can email the company asking if the posting is legit before applying
The Analysis
The starting point for our analysis is a set of fake companies that operate in the UAE (you can find some of them below):
-
gulfshore-energy.com (email: info@gulfshore-energy.com, phone number: +971567217845)
-
sheikhmussafahoilgroup.com (email: info@sheikhmussafahoilgroup.com, phone number: +971526024849)
-
ehelpconsultant.com (email: abudhabi@ehelpconsultant.com, phone number: +971524256573)
-
duramtravels.com (email: info@duramtravels.com, phone number: +971521881096)
-
summerlinktravel.com (email: summerlinktravel.com, phone number: +971505860558; +971586576808)
-
southseaenergyllc.com (email: info@southseaenergyllc.com, phone number: N/A)
-
umbrellainsurancellc.com (email: info@umbrellainsurancellc.com, phone number: N/A)
-
gulfintlmedicalcare.com (email: info@gulfIntlmedicalcare.com , phone number: +971522956025)
-
westernairimmgration.com (email: info@westernairimmgration.com; Permit.westernairimmigration@outlook.com, phone: +971551275296)
-
dhlexpressuae.com (email: info@dhlexpressuae.com , phone number: +97152226464)
-
iconiqueimmigration.com (email: info@iconiqueimmigration.com, phone number: +971589714537)
-
panemiratesimmigrationservice.com (email: abudhabi@ehelpconsultant.com, phone number: +971558561934)
Now let's use a few different OSINT tools and techniques to uncover the scam network, this time we will be using:
-
Our own platform, Resonance
-
Search engines
-
Passive DNS
-
Reverse whois
-
A few others
Resonance is a powerful platform that continuously scans 4.29 billion IP addresses, helping organizations gain visibility into their assets and relevant security findings about them. Resonance has a powerful machine-learning engine that can identify relationships between all internet domains. This means that we can uncover hundreds of fraudulent domains starting with just 1 domain. Click HERE if you are interested in seeing a demo of spiderSilk Resonance!
Let’s access the scam website, extract phone numbers, and email addresses, check the “about us” page, and then search for that information using a few search engines such as Google and Bing to identify similar scam sites.
Let’s take dhlexpressuae.com as a starting point:
By searching for the contents found in the “about us” without “DHL Express UAE” in Google, we identified 3 additional fake companies!
-
https://airconecttexpresdl.com/
-
https://www.escalateexpressdll.com/
-
https://bdcl-us.com/
Search engines are very powerful, we started with 1 scam website and end up with 4 of them, which is amazing!
Here we identify the domain IP address, then search passive DNS services such as VirusTotal and Mnemonic to identify co-hosted domains that may also be related to the same scam.
Let’s take gulfshore-energy.com as a starting point.
We start by identifying the hosting server IP address, in this case, it’s 66.147.236.12
By researching Mnemonic, we identified that there are 989 domains hosted on the same server:
One of the first things we noticed is that duramtravels.com, umbrellainsurancellc.com, and iconiqueimmigration.com (the fake domains we used as a starting point) are hosted on the same server with gulfshore-energy.com.
Note: As we found multiple job scam domains using hostnownow.com, a Nigerian hosting company as their name server, we can assume that they are all operated under the same scam umbrella.
Reverse Whois
While whois lookup consists of identifying information such as domain registrar, registration date, and registrant contact information from a domain name or IP address, reverse whois consists of retrieving all domains that are connected to a given identifier such as registrant name, email address, and phone number.
Let’s take ehelpconsultant.com as a starting point.
Whois output for the domain is the following:
-
Registrar: OwnRegistrar, Inc.
-
Registered On: 2022-08-05
-
Name Servers: ns23.hostnownow.com; ns24.hostnownow.com
-
Registrant name: pere musa
-
Registrant email address: pereblackmoney@gmail.com
-
Registrant Phone: +234-504730043
-
Registrant country: Nigeria
-
…
The first thing that we notice is that the domain also uses "hostnownow.com" as a name server.
Now we will perform reverse whois lookup by searching for domains registered by email address: pereblackmoney@gmail.com. We can use multiple sources such as Whoxy.com, Intelx.io and viewdns.info.
Whoxy uncovered 7 domains registered by the same email address, including umbrellainsurancellc.com, with that information we can see that all these job scams are operated by the same people:
Expanding the scope
In order to identify the broad scam network, we need to look for pattern matching between initially identified domains
Domain |
Registrar |
Name Server |
Hosting provider |
MX |
Website paths |
gulfshore-energy.com |
OwnRegistrar |
hostnownow.com |
Hostrocket |
gulfshore-energy.com |
.html extension or # |
sheikhmussafahoilgroup.com |
NameCheap |
Namecheaphosting.com |
NameCheap |
Zoho |
.html extension or # |
ehelpconsultant.com |
OwnRegistrar |
hostnownow.com |
Reliablesite |
ehelpconsultant.com |
.html extension or # |
duramtravels.com |
OwnRegistrar |
hostnownow.com |
Hostrocket |
Zoho |
.html extension or # |
summerlinktravel.com |
NameCheap |
Namecheaphosting.com |
NameCheap |
Zoho |
.html extension or # |
southseaenergyllc.com |
OwnRegistrar |
hostnownow.com |
Reliablesite |
southseaenergyllc.com |
.html extension or # |
umbrellainsurancellc.com |
OwnRegistrar |
hostnownow.com |
Hostrocket |
Zoho |
.html extension or # |
gulfintlmedicalcare.com |
OwnRegistrar |
hostnownow.com |
Reliablesite |
gulfintlmedicalcare.com |
.html extension or # |
westernairimmgration.com |
OwnRegistrar |
hostnownow.com |
Hostrocket |
westernairimmgration.com |
.html extension or # |
dhlexpressuae.com |
OwnRegistrar |
hostnownow.com |
Hostrocket |
dhlexpressuae.com |
.html extension or # |
iconiqueimmigration.com |
OwnRegistrar |
hostnownow.com |
Hostrocket |
Zoho |
.html extension or # |
panemiratesimmigrationservice.com |
OwnRegistrar |
hostnownow.com |
Hostrocket |
Zoho |
.html extension or # |
By doing the above analysis, we find the most common patterns:
-
Almost all domains use hostnownow.com (Nigerian provider) as their Name Server
-
The website paths are always .html or #
Due to the different MX records and Hosting providers, we will focus our analysis on name server and website paths.
Identifying all internet domains that are using hostnownow.com as their Name Server
To perform the security research we use ICANN CZDS (Centralized Zone Data Service) to obtain zone files from different TLDs.
A zone file is a text file that contains mappings between the TLD domains and the respective name servers, as seen in the following picture:
Let's now talk in numbers:
-
5349 domains use hostnownow.com as their name server
-
3107 of them are UP
-
2242 of them are DOWN (some of them already have “account suspended” warning present)
Now let's continue our analysis on those 3107 working domains.
Identifying potential scam domains
Out of those 3107 domains that have the relevant name server, we identified 1050 domains that share the same scam path patterns, so we classified them as a potential scam.
Below we have the information about the Registrar and the number of potential scam domains.
Top 10 registrars
Registrar |
Potential scam domains |
ownregistrar.com |
726 |
PublicDomainRegistry.com |
105 |
namecheap.com |
89 |
dynadot.com |
45 |
namesilo.com |
38 |
publicdomainregistry.com |
15 |
registrar.eu |
6 |
porkbun.com |
5 |
godaddy.com |
4 |
1api.net |
3 |
As you can see, over 70% of potential scam domains were registered through ownregistrer.com. Looking for reviews on websites such as Trustpilot, we found bad reviews where people mention that the company ignores the abuse reports and doesn’t take down malicious domains:
Top 10 IP addresses
IP Address |
Potential scam domains |
104.194.10.93 |
153 |
66.147.238.212 |
138 |
104.243.35.168 |
137 |
66.147.239.119 |
133 |
66.147.236.12 |
119 |
66.147.230.55 |
114 |
104.194.9.178 |
101 |
66.147.238.174 |
93 |
66.147.238.157 |
61 |
199.59.243.220 |
1 |
Multiple IP reputation and threat intelligence sources already flagged most of these IP addresses as malicious.
For example, the IP address 104.194.10.93 was flagged as related to “web app attacks”, “hacking”, and “scanning activities” by the AbuseIPDB community:
The same IP address was also flagged to have a relationship to phishing and investment scam by the VirusTotal community:
Top 10 registrant email addresses
Email Address |
Potential scam domains |
tundesam6@gmail.com |
10 |
markhayes1970fund@gmail.com |
8 |
hostingtechmailservice@gmail.com |
8 |
talk2712@yahoo.com |
7 |
marywayne@protonmail.com |
7 |
damian.ihemadu@gmail.com |
7 |
buildmyappng@gmail.com |
7 |
hr.kashifgroup@gmail.com |
6 |
fedorpetroleum.com@gmail.com |
6 |
contact@hostnownow.com |
6 |
Email address tundesam6@gmail.com is related to scammers and all the 10 domains registered by that email are scam websites:
-
a1speeddelivery.online ( registered on 13/04/2022)
-
aritlineshipping.online ( registered on 02/04/2022)
-
doctorpatrickniklas.online ( registered on 02/04/2022)
-
dpdshipment.online ( registered on 10/04/2022)
-
e87mathibelafinancialservices.online ( registered on 21/04/2022)
-
fivebeansproducts.com ( registered on 21/03/2022)
-
givingsupportukr.online ( registered on 10/04/2022)
-
globalswiftlogistics.online ( registered on 21/03/2022)
-
wetlandsecuritylogistics.com ( registered on 19/04/2022)
-
xpressimpactlogistics.online ( registered on 21/04/2022)
Now we can perform reverse whois lookups on the identified scammer email addresses, to find scam domains that are currently down, and then use google cache and wayback machine to get historical content and keep pivoting to expand the scope further.
Targeted geolocations
By doing a keywords search (UAE, u.a.e, United Arab Emirates, +971, dubai, abu dhabi ..) on the 1050 potentially scam domains, we identified 188 domains that operate in the UAE.
We also fetched other scam domains and identified many phone numbers with different country codes: +44, +1, +49, +27, +36 .. this would indicate that it is a worldwide scam.
Is this just a "job scam" network targetting job applicants exclusively?
After reviewing other domains, we’ve detected different categories of cloned websites,
-
Government: adedc-ae.com
-
Investment: mcei-uae.com, 247megacryptosignal.com, eliteforexxtrading.com
-
Financial: denvbk.com, e87mathibelafinancialservices.online, creditgrantaccess.com
-
Insurance: umbrellainsurancellc.com
-
Ukraine support: givingsupportukr.online
-
Medical: westernmedicalspecialisthosp.com, gulfintlmedicalcare.com
-
School: sipsad.com
-
Suppliers: fivebeansproducts.com
-
And others
This would indicate that the scammers are not just targeting job applicants but also operate in different directions and follow world events to scam people of their money.
About the Author
Abdelkader Ben Ali is a Senior Security Engineer with spiderSilk, an emerging leader in attack surface management and threat detection. Abdelkader is an expert in his field and before coming to spiderSilk, he was in charge of threat intelligence at ODDO BHF a Franco-German investment bank. His areas of expertise include monitoring the dark web, underground forums, marketplaces, and telegram for data leakage and potential attack vectors.