WEBVTT

00:00.620 --> 00:04.370
In this video I want to go over a actual investigation.

00:04.370 --> 00:07.790
And again, this is a real investigation.

00:08.090 --> 00:17.150
However, instead of showing you the original email and the, uh, the process itself and having to

00:17.150 --> 00:27.110
redact images and names and whatnot, I'm just going to go through what happened and also on the investigation

00:27.110 --> 00:32.990
side, so you can actually kind of go through and see that how everything you learned in this class

00:32.990 --> 00:34.970
can be actually applied.

00:36.320 --> 00:45.350
Now, this started off as a phishing email with essentially what is a old check cashing scheme.

00:45.800 --> 00:56.070
Now the old method for this was for example, you would post a car on a classified like Craigslist or

00:56.070 --> 00:59.910
in the newspaper or both and say you're selling a car.

00:59.940 --> 01:08.100
Someone would mail you a check, so the check would be for the amount of the car, or maybe even a little

01:08.100 --> 01:14.550
above the amount of the car, and they would typically tell you, hey, I really want that car.

01:14.550 --> 01:19.650
I'm willing to pay $500 extra for it just so you sell it to me.

01:19.680 --> 01:20.700
Here's a check.

01:20.700 --> 01:21.810
Go ahead and deposit it.

01:21.810 --> 01:26.010
Give me a call or give me a text message when you deposit it.

01:26.790 --> 01:33.300
And since checks take a while for to clear, it could take several days.

01:33.300 --> 01:35.400
It could take a week to clear.

01:37.230 --> 01:41.970
Uh, what would happen is when you contact them and say, hey, I deposited your check, they would

01:41.970 --> 01:43.960
say, well, I changed my mind.

01:44.260 --> 01:45.490
I changed my mind.

01:45.490 --> 01:48.700
Give me my money back, wire me my money back.

01:49.000 --> 01:55.390
And what happens is when you wire the money back, of course, again, it would take several days to

01:55.540 --> 01:57.490
over a week for the check to clear.

01:57.490 --> 02:04.360
Once that check, the bank finally looks over that check and realizes, well, that check bounced.

02:04.780 --> 02:09.010
Then you're on the hook for the amount for the money that you gave back to that person.

02:09.010 --> 02:11.080
So essentially, you're losing money.

02:11.440 --> 02:14.080
And this is essentially what this this attack was.

02:14.080 --> 02:15.910
So let me go over it.

02:16.150 --> 02:27.310
So a couple people got phishing emails posing as a conference and they had to fill out some information.

02:27.880 --> 02:32.140
So in that information it was a Google form.

02:32.140 --> 02:38.470
And the Google form asked for their name and their email address and password information and that which

02:38.470 --> 02:40.990
should have flagged these users.

02:40.990 --> 02:50.020
But since the person was using the guise of authority, an authority of their manager, that they went

02:50.020 --> 02:53.920
ahead and went ahead and filled out the information without really thinking about it.

02:55.660 --> 03:00.880
So because of that, the users fell victim to a credential harvesting attack.

03:00.910 --> 03:05.050
The attackers now had their email address and their login.

03:06.310 --> 03:13.990
So since they had that, the attackers use the emails and all of the contact list.

03:14.320 --> 03:22.610
And then from there they emailed a bunch of people on their contact list with a job opportunity and

03:22.610 --> 03:24.080
a form to fill out.

03:25.370 --> 03:33.770
So in that form, they didn't ask for their email and password because again, this is this was a financial

03:33.770 --> 03:34.160
scam.

03:34.160 --> 03:40.280
So what they did ask for was they asked for their name, their personal email address, their phone

03:40.280 --> 03:40.700
number.

03:40.700 --> 03:47.000
Know it's important that they wanted their personal email address because they wanted to get the victims

03:47.000 --> 03:48.950
off of our network.

03:49.610 --> 03:56.900
Because once you get someone off of a particular platform, say you're talking to someone on Facebook

03:56.900 --> 03:58.880
and they go, hey, do you have WhatsApp?

03:58.880 --> 04:00.620
Let's talk on WhatsApp instead.

04:00.620 --> 04:06.470
They're trying to get you off of something that is more secure to something that is less secure.

04:07.130 --> 04:10.190
So that's what the personal email was for.

04:10.190 --> 04:15.920
They would have the the people fill out the form, and when they filled out the information, they would

04:15.920 --> 04:17.360
send them a text message.

04:18.200 --> 04:22.400
And in the text message they would give them information about this job opportunity.

04:22.430 --> 04:24.830
Hey, you can make, you know, this money real quick.

04:24.830 --> 04:25.880
And you know what?

04:25.880 --> 04:29.630
We're going to give you, uh, $300.

04:29.810 --> 04:32.840
And the amount changed as as it went on.

04:33.890 --> 04:39.930
Start off with $300 and, uh, go ahead and deposit that check.

04:39.930 --> 04:47.040
So they they send an actual text message with a picture of a check, and they told them, go ahead and

04:47.040 --> 04:49.860
deposit this deposit in your bank.

04:49.860 --> 04:52.110
And when you deposit, let us know.

04:52.500 --> 04:57.360
So once the check was deposited, the scammers would rescind the job opportunity.

04:57.360 --> 05:06.120
So again this is just like the the older check cashing scheme that they would mail out.

05:06.330 --> 05:10.950
This was just done much more efficiently because it was through a text message much quicker.

05:11.460 --> 05:17.190
And again, since it wasn't a real deposit, the person would lose their money once they give the money

05:17.190 --> 05:17.910
back.

05:19.530 --> 05:28.290
So on the investigation side, I checked the email and as it was a generic Gmail email address, so

05:28.290 --> 05:29.910
a little bit harder to check.

05:30.120 --> 05:32.790
So it was a newly created Gmail attack.

05:32.790 --> 05:39.660
Just for this attack wasn't a data breaches, it wasn't used anywhere else and whatnot.

05:40.950 --> 05:48.000
Did a reverse phone lookup on the text message so the the number was not a VoIP number in this case.

05:48.000 --> 05:50.910
So that was very useful.

05:51.660 --> 05:58.650
Checking the voice message using a spy dialer, it routed to a Google Voice number.

05:58.650 --> 06:04.830
So because it ran to a Google Voice number, it gave a little bit of an amenity.

06:04.830 --> 06:10.680
But again, this was not a VoIP number, it was an actual T-Mobile number in this case.

06:12.270 --> 06:18.790
So I ran the phone number through a reverse number, which I got the name.

06:18.790 --> 06:24.520
Now, I ran this through multiple reverse phone number lookups in order to validate that information.

06:24.520 --> 06:29.200
And again, it is very important to validate any information that you find.

06:29.200 --> 06:33.040
Because that information might be old, it might be invalid.

06:33.310 --> 06:37.540
So getting that information I verified the name and the carrier.

06:38.440 --> 06:48.340
I then did a name lookup, found the name, address, family members, neighbors, etc. again validated

06:48.340 --> 06:55.660
that information on other sources, multiple sources, and I was able to verify the credibility of that

06:55.660 --> 06:56.650
information.

06:57.100 --> 07:05.720
So having that information for the name address then went to Google Maps and Street View to look up

07:05.720 --> 07:08.150
the satellite views for that property.

07:08.750 --> 07:12.050
So took some images of the property.

07:12.320 --> 07:19.970
Uh, got an idea of their location, did a property record lookup in their state and county?

07:20.510 --> 07:23.390
Also did criminal lookup on that person?

07:23.660 --> 07:28.730
So in this case, there was no criminal hits in the state database.

07:28.730 --> 07:29.600
And that's important.

07:29.600 --> 07:33.860
It's I checked the person's state that they currently lived in.

07:34.790 --> 07:38.780
Now, that doesn't mean that they've never done any crimes.

07:38.780 --> 07:45.590
It just means that either they never did any crimes in that in that state could have been another state.

07:45.590 --> 07:47.780
I could expand that search out.

07:47.780 --> 07:50.690
Or maybe they never got caught of anything.

07:52.250 --> 07:53.240
So.

07:53.240 --> 07:58.370
And also I went a little bit further, did things like I looked up their voter records, see where they

07:58.370 --> 08:04.790
registered to vote and whatnot, just to get a better idea of who who these people were.

08:05.750 --> 08:16.460
So collecting that information, the outcome was that may be the actual attacker that perpetrate this,

08:17.390 --> 08:23.630
or they could possibly be the victim of SIM swapping, meaning that someone could have cloned the the

08:23.630 --> 08:31.160
phone sim of that phone and and did these attacks, especially since it wasn't a VoIP number that that

08:31.160 --> 08:39.110
means that they were either, uh, again a victim of SIM swapping, or they were very careless and ultimately

08:39.110 --> 08:45.990
took the information and was handed off to law enforcement because, again, this is a legal issue.

08:45.990 --> 08:47.640
It's a financial scam.

08:47.640 --> 08:58.350
So this is detailing a real life scam and a real life investigation to kind of show you how you could

08:58.350 --> 09:03.000
take the different tools and methodologies that you learned in this course and actually apply it in

09:03.000 --> 09:04.080
real life.

09:04.170 --> 09:05.640
Hope this was useful.

09:05.640 --> 09:06.780
Thanks for watching.

09:06.780 --> 09:08.130
I'll see you in the next video.