1. A brief summary of the events leading up to this research
2. Dig
3. WHOIS
4. Censys
5. SecurityTrails
6. AWS IP Address
7. Social Engineering - Grabify
8. Final Thoughts
9. Useful Links

A brief summary of the events leading up to this research

I receive an unsolicited phone call about 'my interest in the financial markets'. Since I do not opt in for marketing calls, this is clearly not a legitimate company, otherwise they would need my marketing consent, in addition to being able to answer questions regarding GDPR.

After a couple of minutes of speaking to them, I am directed to this website ( educationarena.net) for my investment package. This is when I start digging.

I have already established this:

• Is not a legitimate company
• The phone number has a Leeds area code
• The scammer claims to work for a company in London
• The scammer claims to be in the London office

[top]

Dig

The first thing I usually do is quickly dig the domain name, using Google Admin Toolbox Dig to see if there are any DNS records that give me a hint as to where this website is hosted. Unfortunately not, in this case, A Records point to Cloudflare and MX records are Google.

[top]

WHOIS

I then move quickly onto the WHOIS to gather the next pieces of information such as registrars and historical WHOIS records. I am not expecting much with the registrant information but it does confirm the Registrar and the historical Name Servers, in this case, both are pointing towards Amazon and Amazon AWS.

• Domaintools Whois

• Whois History

[top]

Censys

Using Censys certificates search we can sometimes find records of IP addresses but not this time. However, it did show a huge list of other scam investment websites using the same previous certificates.

parsed.names: educationarena.net and tags.raw: trusted

[top]

SecurityTrails

Next stop is SecurityTrails to look for historical DNS data. This website gives a lot more information that I am looking for. The latest record is Cloudflare IP addresses followed by a bunch of older records from Amazon EC2 IP addresses.

[top]

Amazon AWS IP Address

Now that we've narrowed down the scope to Amazon EC2, and more precisely a small list of IP addresses extracted from SecurityTrails, it's time to test them and see if they respond to the URL by curling the IP address with the Host header.

I didn't realize until after that my curl testing wasn't quite correct. I should have used the -k flag, requested over HTTPS and got a HTML response.

Anyway, despite not getting exact results from curl, I am convinced this is highly likely the IP addresss: 18.194.248.87. I was on the phone, so this was enough at the time.

IPInfo

[top]

Social Engineering - Grabify

This section was added later, after a subsequent phone call from the same scam.

Whilst on the phone I decided to practise some people skills. I learned about a service called Grabify from watching Jim Browning videos on YouTube. Grabify is a URL shortener that logs IP addresses.

Having built rapport with the scammer simply by taking the time to listen, I asked if they could help me. Specifically, help identify the differences between their website and a scam website.

"Can I send you a screenshot of a website that scammed me? Then you can show me why your company is different." I then sent the Grabify link.

"How's the weather in Belgrade?"

Final Thoughts

The IP addresses that were found matches the domain registrar and previous certificate provider, Amazon. There are other things I could have done, such as running dnsenum.

Here is the list of scam sites associated with this fraud.

• academyzone.net
• analystsclass.com
• analystspro.com
• analystszone.com
• arenaderenda.com
• capital-analysts.com
• capitalcourses.net
• education-sites.com
• educationalcourses.net
• educationarena.net
• gainandlearn.com
• income-guide.net
• income-pro.net
• incomementors.net
• incomepalace.net
• incometraining.net
• mentorscenter.net
• procapitalworld.com
• profitcourses.net
• profitmentors.net
• theacademyarena.com
• wise-mentors.com
• worldofincome.net
• worldofprofit.net

[top]

Useful Links

Thanks to the hard work and sharing of others I was able to learn some of these techniques.

• Finding The Real Origin IPs Hiding Behind CloudFlare or Tor
• How to Find Real IP (Origin) address of Website
• Finding the IP address of a website behind Cloudflare
• Find The IP Address Of A Website Behind Cloudflare
• Discovering the IP address of a Wordpress site hidden behind Cloudflare
• Cloudflare, how to do it right and don't reveal your real IP
• Jim Browning on YouTube

[top]