OSINT: Annoying Spam Message Investigation
Don’t you despise receiving unpleasant spam messages from unknown folks in your inbox? Is it a random link sent with malicious or good intentions? It’s difficult to tell on the surface, but luckily I have the intelligence to draw my own conclusions.
LETS BEGIN
The message that arrived in my inbox looks exactly like any other spam communication. A link containing a message that entices people to click on it in order to win a prize or gain something worthwhile. This is a standard strategy used by anyone attempting to promote their goods, but it is always better to be safe than sorry.
The message is sent in Brazilian Portuguese, implying that it is intended for people in that region or people who have demonstrated their use of Brazilian Portuguese on social media. The message is translated below.
600,000 people play online at the same time and win a lot! real skill.
Very interesting. Over 99% of the people who play our games are safe, reliable,
fair and open. Play online now. !
Wonderful and unique new winning games such as
PG, FORTUNE TIGER, FORTUNE RABBIT, FORTUNE MOUSE,
GANESHA FORTUNE, FORTUNE OX, LEPRECHAUN RICHES, MINESWEEPERS,
CAISHEN WINS and many more. Different modes from regular games,
you'll definitely be impressed once you've got the hang of it
So the message is meant to entice individuals into playing gambling games for cash prizes. An analysis of the bit.ly shortened link sent along with the message leads to a casino website.
INCONSISTENCIES
There are several inconsistencies that stand apparent after further investigation. At the time of writing, the website was registered on July 26th, 2023, which was less than a month ago. Not only that, but the Telegram page and Instagram account were both launched in July, which is quite suspect for a gaming platform.
The fact that the original account is only following one account, which is based in the UAE, is not the only anomaly. The domain name is registered in China. Why would many websites established in China with a UAE based Instagram account target Brazilians? This is highly questionable.
When you visit the website, the first thing that happens is a popup urging you to download the app. Which is pretty suspect, so I looked into the APK and discovered that there are several of these on many wj-linked websites.
ACH(Analysis of Competing Hypotheses)
ACH is an analytic procedure that identifies a comprehensive collection of alternative hypotheses, examines data that is consistent or inconsistent with each hypothesis, and continues by rejecting hypotheses rather than attempting to validate what appears to be the most plausible hypothesis.
This is a very small ACH matrix, but in learning intelligence analysis, it’s always best to practice on incidents you come across in the wild to build up your skills. As shown, a random message turned into the perfect opportunity to help sharpen my skills, so the next time you get a random spam message, don’t be afraid to investigate.
REMEDIATING THE PROBLEM
If I come across malicious links in the wild, I always report them to the relevant authorities responsible for hosting and reporting abusive conduct. Making the internet a safer place requires action, thus I always report links as the first step in reducing the reach of unlawful actors.