[Intro to OSINT 1] DogeCoin to the… Low Earth Orbit:
Investigating Cryptocurrency Scams During Your Lunch Break
If you have clicked on a somewhat popular thread on Twitter, chances are you’ve noticed something strange: A tweet appearing to come from Elon Musk replies to the thread excited to share that all SpaceX or Tesla fans are invited to send cryptocurrency to a random wallet and will get their investment doubled. I would normally just report scams like this to twitter so I can get back to reading the hottest takes in infosec twitter. But to celebrate the planned launch of the second crewed Falcon 9 (with the planned launch window opening Friday, April 23 at 5:49AM) I figured it would be an opportunity to share a way anyone can practice their OSINT skills over the course of a lunch break.
Today’s investigation target actually presented itself in a promoted tweet instead of me just happening to stumble across it in a popular twitter thread or making the mistake of using “BTC” and “How do I invest” in the same tweet.
This tweet was in response to a tweet from NASA’s Commercial Crew Twitter account about the upcoming Falcon 9 launch. The scammers are probably trying to take advantage of the uptick in interest in the launch.
The scam is directing potential victims to the domain musk5[.]net. Before taking a look at the domain, let’s see if we can see what other accounts are spreading this scam. While you could simply do a search right within the Twitter web or mobile app for the string “musk5[.]net” (without the brackets), we would still have to manually copy and paste every single user to report them or pivot further. Thankfully, Twint allows me to query Twitter from my terminal without using an API key. I can scape data from any account mentioning that domain and organize it into a csv file. Broken down into a pivot table for easy reporting to Twitter, there are multiple accounts which we can confidently say are part of the same scheme. It would be a bit hard to show this in a screenshot, but this network of scam accounts all tweeted within a 24 hour period from April 21, 2021.
Time to dig into the scam domain itself. We can analyze the site to some degree without ever actually visiting it. First stop: urlscan.io. This tool scans the page we tell it to, and can provide a ton of critical information like hosting info and where scripts are being loaded from. It also provides a snapshot and allows you to download the whole DOM of the site for further inspection. Looking at the screenshot in urlscan.io, the first thing that sticks out to me is it’s pretending to be a Medium article written by Elon. But we are still at the musk.net domain.
RiskIQ PassiveTotal has also only seen this domain starting April 21st resolving at 192[.]64[.]117[.]68 and hosted by NameCheap.
While inspecting the DOM within urlscan.io, the “click this” links direct victims to musk5[.]net/btc, musk5[.]net/eth, musk5[.]net/doge depending on the desired cryptocurrency. Those endpoints can be further scanned to collect other important bits of data, like crypto wallets. Let’s take a look at the bitcoin link.
Hmm, that’s kinda weird. I was expecting to see a crypto wallet address. Maybe it just loads dynamically with the page and wasn’t captured in the scan. Back to the DOM we go and sure enough, there is elements of the page loaded with the crypto address:
1EXxPxM61qCjiLn6YjKqXQxvCVU2Xe7mgg.There are tons of tools available to track Bitcoin transactions and wallet activity. But putting this address into Bitcoin WhosWho shows no current transactions at this time. That isn’t entirely surprising given these accounts only started tweeting yesterday (April 21). Maybe the other ETH and Doge wallets have more activity and would be worth checking out, but our lunch break isn’t that long.
It’s also possible to uncover potentially related scam domains that could be operated by the same scammers. Let’s look for scam sites with similar traits: posing as a Medium article. Returning to the DOM for musk5[.]net, I can see that part of the masquerade involves loading a Medium favicon image.
A great way of finding similar sites to one you’re investigating is to calculate the hash of the favicon, and see what search engines like Shodan have crawled. If a site has an identical favicon, Shodan will show it. The hash itself can be computed with just a few lines of python.
For the uninitiated, Shodan is a service that crawls the internet for connected devices, parses the results, and allows users to perform powerful queries on a global scale. While I tried to make this blog beginner friendly and only use free services, I have always used a premium account, so I am unsure if a free account would show the same results. I highly recommend shelling out the money for the premium account though. There are frequently giveaways by content creators like 0x4rkØ for membership codes, so if you are patient you can surely come by a code for a discount or free.
The Shodan query for favicon hash -768154382 shows a pretty interesting array of results. Every single result on all three pages is a similar crypto currency scam. I was a little surprised to not see actual legitimate Medium infrastructure in there. This could mean the scammers are using their own unique favicon image. Again, that is a very strong “could”.
We can’t conclusively link these scams to the one observed on twitter without spending more time digging into the individual sites. I will also include the NameGuard hosted sites in my report to their abuse team later.
One thing that did raise my eyebrows was the use of the word “airdrop”. Unless that’s some cryptocurrency community phrase, it was commonly used in the 63 results. It was also frequently used in the scraped tweets mentioning the musk5[.]net domain. Again, I am not sure what the significance of this word is in this context, but it can be seen again in the excellent research into cryptocurrency scams published by RiskIQ threat researchers Jordan Herman and Kelsey Clapp. So seeing that come up in a scan of domains could be used to easily scan for cryptocurrency scams (not necessarily just ones disguised as Medium articles).
Summary of What We Accomplished During Lunch
- We can assess with high confidence musk5[.]net is a cryptocurrency scam resolving at 192[.]64[.]117[.]68 and hosted by NameCheap.
- We obtained a list of Twitter users propagating this scam.
- We were able to discover possible related domains using a favicon hash search on Shodan.
- We verified nobody has sent any bitcoin to the scammer’s wallet, and filed an abuse report.
- Ate a delicious sandwich.
- RiskIQ PassiveTotal Community Edition
- Hunting Phishing Websites with Favicon Hashes by Jan Kopriva and Alef Nula
- python script for computing favicon hashes
- Cryptocurrency: Recent Scams and Phishing by Jordan Herman and Kelsey Clapp
- Bitcoin Whos Who
- Reporting scams to NameCheap