This write-up comes from a long time SpiderFoot user, Osint_Matter, a senior threat intelligence professional who uses SpiderFoot and other tools to investigate threats targeting their organization. In this post, Osint_matter investigates a seemingly harmless email from a legitimate looking recruiter email, uncovering a ring of recruitment scam websites performing identity theft, potentially controlled out of China. A great read along with some useful techniques to learn.
I’m Osint_Matter, an OSINT and Threat Intelligence professional madly in love with SpiderFoot for a very long time. In my spare time I have developed osintmatter/shortemall, a simple but effective Python tool for unearthing gems and dangers in the little-investigated world of shortened URLs (learn more here).
This story all began with an email sent to my personal email address from one Sarah Taylor, Senior Recruiter at a corporate services and headhunting company. There are multiple elements of interest from the email:
- The email was sent to an email address I use for professional purposes and do not normally use in registrations to online services;
- The email comes from sarah@mhspartners[.]com, a domain that is properly registered and configured in DNS records, ensuring maximum deliverability;
- The content of the email is well written, intentionally vague and adaptable to any context, yet it has no links as would be found in typical scam emails, and has a professional construct.
Here’s the original email:
From this point, for the purpose of this post we have a few goals:
- Understand what the infrastructure footprint behind this email looks like in order to extract indicators that serve as a foundation for a broader and deeper analysis.
- Establish whether this email and the entity behind it is legitimate.
- Understand the possible motive or end goal of the sender.
All we have to start with is the domain name of the sending email address (mhspartners[.]com) and as referenced in the email footer, so let me start here.
The website of mhspartners[.]com appears to be well constructed and rich in information:
However a quick first look at the website reveals some anomalous elements:
- No phone number in the “contact us” section of the website (odd for a recruitment firm);
- Googling their NY address indicates no presence there;
- No privacy statement / T&Cs on the website;
- Website footer claims copyright 2020;
- Logo is generic (from Shutterstock: https://www.shutterstock.com/image-vector/reach-best-job-seekers-logo-premium-1891346494):
Here is the logo utilized on the website:
A simple Google Image search reveals it is an exact copy of a generic logo from Shutterstock:
By running a scan against the domain in SpiderFoot we get a complete picture of the domain’s infrastructure. We see the presence of Cloudflare as an authoritative DNS Service and reverse proxy, so we do not know the IP address of the actual server(s) hosting of the domain (source SpiderFoot HX, through its integration with Nuclei). There is of course nothing wrong with this and is a fairly common setup, however it will limit our information gathering to some extent and require further and deeper analysis.
The domain has a 15-year history and has had 3 main periods of activity (2007-2010, 2014-2018, August 2022, present), I explored the domain’s full DNS history with completedns.com:
All attempts to de-anonymize the website behind Cloudflare proved ineffective: checking the SSL certificate fingerprint, footprinting the site’s favicon hash, searching for sub-domains possibly outside the Cloudflare perimeter (you can perform each of these checks using Censys and Shodan).
Using my email client, I then extracted the original headers from the email received and I inserted them in mxtoolbox (https://mxtoolbox.com/EmailHeaders.aspx) to identify the IP source of the sender. This practice is very useful when the domain is not with a free email provider (like Gmail, Yahoo, etc.) but a mail server associated with a custom/private owned domain. Analyzing the SMTP headers reveals a source IP address of 54[.]240[.]8[.]16 and the SMTP server is hosted on AWS (source: https://mxtoolbox.com/).
It can also be seen that Amazon’s SES (Simple Email Service) was used to send the email, but the MX records for the domain indicates they use Google for their incoming email infrastructure (source SpiderFoot HX, through its DNS module). The email received from this domain is dated September 2, the day after the DNS change to Cloudflare nameservers and reverse proxy service.
DNS TXT information comes to our aid here, specifically the SPF Records associated with the mhspartners[.]com domain. Here the record tells us that two IPs and one domain (hosted by Namecheap) are authorized to send mail on behalf of the domain mhspartners[.]com, yet there is strangely no mention in the SPF record of the AWS IP utilized. Usually the bulk email services are included in the DNS TXT records. (source SpiderFoot HX’s DNS module)
Even analyzing the high number of addresses that lurk among the SPF records below does not reveal any association to the AWS source IP.
The SPF check is actually passed not referencing mhspartners[.]com but ****@amazonses.com. The most obvious motivation might be to use one dedicated infrastructure for sending mail and another for receiving it, however, potential anomalies remain because bulk mail services usually are included in SPF records.
Going back to the IP 198[.]54[.]120[.]99, included in mhspartners[.]com’s SPF Records, we find only one currently active hosted domain (source: SpiderFoot HX’s DNS module):
Analyzing the DNS records of gogoso[.]us we see that one of the most important Chinese e-mail services, qq.com, is authorized to send email on its behalf (source: SpiderFoot HX’s DNS module).
MX Records also confirm the use of a Chinese provider (source dnslytics.com) :
By analyzing the two IP addresses included in target domain SPF records and passing them under analysis with talosintelligence.com‘s email volume-by-IP analysis service, we can see that the activities from the two IPs are concentrated in the period of receipt of the emails under analysis and that there are generally inconsistent volumes with sudden spikes and total drops thereafter.
Email volume history for 198[.]54[.]120[.]224:
Email volume history for 198[.]54[.]120[.]99:
Expanding the Footprint
Let’s summarize what we have understood so far: the controller of the domain name and creator of the website triggered a campaign of sending emails, presumably malicious (but in the very least, highly suspicious), within hours of re-launching online with an obfuscated gray infrastructure, presumably to ensure anonymity.
In addition, we note how the domain has a history of activity of more than 15 years, we need to look for the domain’s online footprint and historical evidence to try to divide past (possibly legitimate) activity/data on the domain from more recent (presumably malicious) data on it.
I then take advantage of SpiderFoot HX’s incredible data cross-referencing and search capabilities to individuate an email address historically tied to mhpartners[.]com. This email address has an historical footprint, established over the years. I obtained a first and last name extracted from the footprint information on the address itself, this thanks to the SEON API that SpiderFoot integrates with.
The email has been seen in a great many data breaches in recent years (source: SpiderFoot HX, SEON module):
Through use of Google (site:”zoominfo.com “Mohamadou Hayatou” “mhs partners”) and zoominfo.com (a global recruitment database), we find a reference that includes the subject’s first name, last name, and email address:
One also finds very useful information regarding Mhs Partners LLC linked to the subject and thus confirming to us the previous existence of this brand operating in the same industry as the “new” company: Staffing and Recruiting Industry.
The level of suspicion after this latest evidence was raised considerably: such a “Mohamadou Hayatou” appears nowhere on the current recruitment website. It seems likely that Mohamadou Hayatou was the domain holder in the past and has suffered numerous compromises and data breaches. It’s possible that Hayatou’s owned domain went out of business/shut down, and someone took over the domain name as a good way to quickly gain reputation.
It is time to return to the company’s current website to explore further anomalies, this time in the “Meet the Team” section. As you may recall I was contacted by an alleged Senior Executive Recruiter named “Sarah Taylor,” I want to understand more about this suspicious profile.
SpiderFoot HX detects in the metadata of the photos of the four subjects a trace of Adobe Photoshop use.
We now use Google Lens to do a reverse image search on the photo of “Sarah Taylor” a reference appears on a third-party site, but with a different name.
The same applies to the photo of the alleged colleague “Aaron Paul” with the photo found on another website in the financial field, again with a different name:
Going to the site identified through the photo of “Sarah Taylor” (worldtalenthiring[.]com) the scam appears obvious; different domain, partly different names and subjects but same basic content and template:
We also find out that the IP hosting this new domain is the subject of reports from various sources with even information regarding Malware distribution and C2 (source SpiderFoot HX through integrations with VirusTotal, Maltiverse and MetaDefender):
The stream of SSL certificates gives us an indication of the period of activity of this domain and related website (source: crt.sh), roughly from July 2021:
We have found two separate websites presumably operated by the same person/group – maybe there are more? Searching online a fragment of the homepage: “building a professional team that comes from all industries and practice areas in order to ensure that we offer personalized solutions to every challenge“, we find another domain: mmwglobalinc[.]com:
Here again we find a website related to the corporate recruiting industry.
Through SpiderFoot HX’s e-mail address extraction module and integration with Host.io, an e-mail address uniquely tied to the new domain under analysis is discovered; a datapoint such as this could be very useful for long-running investigations and pivoting.
Determining the Scammer’s Goal
Now that we have clearly ascertained these are fraudulent websites and assume the possible goals that were intended (identity theft through social engineering, since no malicious links or attachments were provided), we just have to entice our fraudster by sending a fake CV with fake information to see their reaction and where the path leads, which doesn’t take very long; here is their response:
Here re-appears our phantom “Aaron Paul.” It seems that the CV is not compliant with an undefined “Applicant-Tracking-System” (ATS), but don’t worry, our friend Aaron already has a solution ready for us; just upload the CV to a paid web service built to be able to prolong the 360-degree informational capture of the victim and, in the process, also extort some money for a phantom CV consultation.
Perhaps also worth noting is that the phone number in the Whois records for mhspartners[.]com and smartresumeexperts[.]com is the same: +19854014545, and if you Google that number, you get some interesting findings (source: telguarder.com):
Summing it up, let’s try to understand what the intentions of the scammers are and what elements can be made common knowledge to avoid falling victim to such a scam.
1. Scammers want to obtain as much of our personal and sensitive information as possible – what is an easier and more effective method than an updated CV?
Normally one of the final steps in the interaction between the scammer and the victim is to send a scan of a personal identity document in order to finalize recruitment practice to the alleged end client.
The purpose of this information gathering seems to be identity theft. Most likely the scammers don’t do direct business in the DarkWeb “ fake identity market” but resell items to specialized brokers. By engaging the victim in an elaborate recruitment scheme, the scammers will not only have a complete picture of our professional profile but can also ask for any personal documents that could be used to take control of our identity digitally. This is especially dangerous if the target is the company we currently work for because the scammers have now a pretty clear picture on your role and internal organization.
2. Switching to third-party sites that serve to refine our CV and make it compliant with alleged hiring frameworks are part of the immediate funding activities of the scam scheme. Few cases will conclude with full identity theft and subsequent malicious action, but many more will be the cases where to be compliant with an enticing job offer we accept a subscription to nonexistent online services such as the one described in our case.
3. Presenting themselves as a legitimate recruiting firm acting on behalf of large clients (of whom they of course cannot mention), the scammers use the same modus operandi as legitimate recruiting agencies. They gain time by addressing any doubts of the victim by claiming confidentiality agreements with the nonexistent client. And by not abusing any well-known established company/brand but instead presenting themselves as intermediaries, they make their sites and services difficult to take down for phishing and abuse purposes. ISPs and registrars would typically not approve domain or website take-downs without clear evidence of abuse and phishing, which this attacker has certainly avoided providing us.