Guide to dealing with fraudster's pipeline

I Figured someone should’ve made a guide to this so, I’ve made a Video detailing this. However this is a written release of whats to come…

DEFINE “THE FRAUD PIPELINE”: In terms of other pipelines such as oil, natural gas this is the same concept. It refers supply flow in a demanding market. Basically, After attacker has gotten their data rather through phishing, social engineering or cracking/credential stuffing they’ll go on to sell the product. The pipeline flows in a way as follows.

Attacker gets data ----> Posts to a website, forum or IM client -----> Buyers Pay for the data -----> Attacker profits ------> Attacker Launders the proceeds then cashes out.


Follow the money, Follow the People and Follow the Data.
This isn’t a hard concept and scammers regardless of power/notoriety aren’t immune from human error. Use this to your advantage. they’ll try to patch what seems to be the largest error but they’ll often forget the smallest yet most powerful exploit that shuts them down

ClearNet Vs Tor Hidden Services How to legally/ethically shut them down.

Obviously sqli and xss aren’t going to be used here due to them being illegal. If The fraudsters aren’t bright then they’ll leave the DB Exposed.

First method of attack is checking google and other search engines for possible problems with the website. Don’t forget to check the source of the webite or use inspect element as skiddish as that sounds… Don’t worry sometimes directories can be spotted that might open up new ones as you look through them. Find where pictures are being stored and loaded from and what not.

Websites for scanning the site for possible owners, IP Leaks and other things.
You’ll run into a problem with trying to find info with the first method no doubt. Most scammers deploy Cloudflare to hide the IP of the server (This is not so hard to get down).

here’s a few websites you can use to scan a website:

What about Tor Hidden Services?
There’s a subdomain check and a few sub directories you can check to see if they’re around.

Subdomain is: test.
Your sub directories are /test /server-status /server-info & /cpanel
First you should use the subdomain, if you get a cpanel then it’s obvious what you should use.
/server-status and /server-info are 2 things nobody should ever leave open.

However despite the 2 major sub directory leaks, /cpanel can yeild a VPS Provider and server name.

If all else fails you have social engineering
Scammers aren’t bright, let’s pose the a great method here… If they wanna talk on “Telegram” See if you can get them to tox or ICQ. You want them on a P2P IM Client so you can see if they’re using a VPN or not. P2P Clients for those who don’t know leak IPs as your connecting directly with the client your speaking to. If they refuse to use “Tox” try to social engineer them with: “I Would use telegram but it logs IPs and I don’t trust Telegram not to backdoor itself, Refer to signal’s “Anti-Spam” Feature” Make them think your not joking and say that you want a decentralized platform.

If they leak their IP, you should know where the fraudsters are. Now remember social engineering isn’t a 100% thing but Fraudsters love customers but hate losing profits. Just tell them you’re expecting $5000 or so and your looking to buy but keep them hooked and be respectful and understand what your talking to them about. I might provide some guidance so you can get the hand of some of the slang and questions to ask.

Your goal is to lure scammers into a trap where you can gather information without having any problems with requesting data from a company. Learn the way the speak, watch for inconsistencies, get to know the dealer and what not. Small talk and shit like that.

Just some stats
I Did these groups/People/Websites in with Social Engineering
Lockbit ransomware (Ongoing)
Tiger CC Shop (Being DDoSed for 3 very close to 4 days straight).
4+ Cyber criminals

Non-Social Engineering stats to date.
Tor Hidden Services exposed: 15 via /cpanel & 2 IP Leaks.
IPs gathered via social engineering people who “Wanted to rat People”: 250 People.
Identities exposed via lack of care/opsec: 14 people.

Remember phishing/spam mail has a goal set, They want data… Follow the data and burn it’s ability to be used.

Video is being edited right now.

2 Likes

@thunder thanks for updating this…