Investigating Criminal Websites

Steven Harris
@nixintel
Steven Harris
● Senior Open Source Intelligence
Specialist at QOMPLX

● SANS SEC487 OSINT Instructor

Candidate

● Exec Board of The OSINT Curious

Project

● Previously a detective in UK law

enforcement
Road Map

● Making Links
● Whois
● DNS Records & IP addresses
● Subdomains
● Email addresses
● Analytics Tags
Making Links
Making Links
Pivoting

● There is no magic button or tool.

● We have to learn how to find a piece of data and then move

from there to find links to other useful data sources that help
build a bigger picture.
Whois
Whois - mthinvestment.com

Use whoxy.com to search

recent and historic WHOIS
records.

Whois data is often unreliable,

but can provide new leads.

In this case a name, email

address, and phone number.
Whois - Pivoting

mthinvestment.com

Ameh Onuche brainboxdesk@gmail.com +1.0812315634

Whois - Historical Records

Whois records are often

heavily redacted and
contain no useful
information, especially
post-GDPR (2018).

Historical Whois records

may still contain useful
information.
DNS & IP Addresses
DNS Records - A

Sites like viewdns.info will display the DNS A record.

The reveals the IP address.

DNS Records A

Ipinfo.io displays information

about the IP address.

From this we can identify:

1) Hosting company

2) Hosting country
Who Shares The Same IP?

Many websites can share a single

IP address.
Security Trails shows which
domains share the same IP
address.

Exercise caution when making

links in this way.
DNS Records - Pivoting
thestreetfx.com

217.21.91.51

Hostinger, Inc dhammaglobal.org

girlstrendyfashion.com
yourexam.in
Be careful! nowfelcarrentals.com
 DNS - SOA

SOA records are often overlooked. Site admin email addresses can be added into
the record. In this case micbern0727@gmail.com.

The ‘@’ is replaced with a .

We can use this to find other sites linked to the same individual.
DNS Records - SOA

With Security Trails we can do an

SOA reverse lookup.

This shows two other domains

with the same email address in
their SOA record.

We can research the email

address and the two other
domains.
SOA - Pivoting
clintonassociatesllc.com

goodwinconsultsvcs.com micbern0727@gmail.com whitewellcapitalmgmt.com

Subdomains
Subdomains

Domain: example.com

Subdomains: mail.example.com
admin.example.com
forums.example.com
Subdomains - thestreetfx.com

Using Security Trails we can also

find subdomains.

Command line tools like Amass or

Sublist3r can also be used.
 Subdomains - Pivoting
thestreetfx.com

webmail.thestreetfx.com autoconfig.thestreetfx.com ftp.thestreetfx.com autodiscover.thestreetfx.com

2.57.90.58 153.92.2.19 217.21.91.51 153.92.2.19

Email
Emails

Hunter.io lists emails associated with a domain.

Email Addresses
 Email Address - Pivoting
greenfieldscapital.com

compliance@greenfieldscapital.com davidho@greenfieldscapital.com monicakl@greenfieldscapital.com

Analytics Tags
Analytics Tags

Websites use Analytics Tags for

marketing purposes like tracking
visitor numbers.

They are hidden in the website

code.

Analytics Tags are unique

identifiers.
Analytics Tags - Builtwith.com
 Thank you.
Twitter: @nixintel

Web: www.nixintel.info

Email: nixintel@protonmail.com

LinkedIn: www.linkedin.com/in/steven-harris-nixintel