Spider Silk
Spider Silk
Based on one of our recent internet-wide scans using the spiderSilk platform called Resonance, we identified
many key companies operating in the same field that share the same website template and content, but only
logos and contact information differ. This was really suspicious! Due to this, we went deeper in our
investigation around this finding and uncovered a significantly diverse & broad scam network.
In this article, we will explain how we uncovered the scam and then walk through our analysis.
Disclaimer: In this research, we are providing information about the infrastructure and modus operandi of
malicious actors, no personal information was exposed.
Table of contents
The SCAM
Job scams
The Analysis
Resonance
Search engines
Passive DNS
Reverse Whois
Expanding the scope
Identifying all internet domains that are using hostnownow.com as their Name Server
Identifying potential scam domains
Targeted geolocations
Is this just a "job scam" network targetting job applicants exclusively?
The SCAM
Let’s first walk you through the scam and how it is normally played out. Below are examples of legitimate and
fake websites that we have identified, notice that fake company websites are clones of legitimate websites.
Gulf Energy SAOC (website: www.gulfenergy-int.com, employees: 1025 ), an affiliate of National Energy
Services Reunited (NESR), is a well-known oilfield services company in the Middle East and North Africa
regions.
Gulf-Shore Energy Petroleum LLC (website: gulfshore-energy.com/) is a non-existent company using Gulf
Energy SAOC website content:
Let's dive in and understand the reason behind the creation of the fake websites.
On LinkedIn the search for “Gulf-Shore Energy Petroleum LLC” (the fake company) was unfruitful and we
didn’t find any mention of it.
On the other hand, searching for the “Gulf-Shore Energy Petroleum LLC” on Google, we identified the
following job offer:
A non-existent company offering a job is very suspicious, so let’s look up another fake company: Sheikh
Mussafah Oil & Gas Group (sheikhmussafahoilgroup.com) to get more insights.
By searching for “Sheikh Mussafah Oil & Gas Group” on Google, we found that one of the first results to
appear is a career page where job seekers can apply for jobs.
We also found that this fake company was reported twice on the “Scam Watcher” website
(https://www.scamwatcher.com/) as suspected job scam:
https://www.scamwatcher.com/scam/view/494199
https://www.scamwatcher.com/scam/view/495953
Both fake companies appear to be offering jobs. To uncover how the scam takes place, let’s search for the
travel agency: “Airfly Immigration Services Abu Dhabi” that was mentioned in the job offer:
As we are dealing with a job offer, LinkedIn would be a very valuable source of information as it is a popular
platform for job seekers who might discuss the job offers they have received.
Strangely, there was no company profile for that travel agency on LinkedIn:
While there is no company, we can find posts on LinkedIn, after our analysis, we discovered that the travel
agency is fake and is operated by scammers. It also appears to be part of another job scam this time branded
as “SHEIKHZACDIC OIL AND GAS COMPANY www.sheikhzacdicoil.com. They asked their victims to pay fees
ranging from 2 to 3 thousand dollars to cover the “Immigration Services” for the individual or for the family.
So let's recap: scammers target job seekers by creating fake company websites and offering high salaries to
candidates without an interview, and then ask them to contact a fake travel agency (that is also operated by
them) for the acquisition of visa and health insurance, which will request a payment for the visa and travel
fees.
Job scams
What is a job scam?
Job scams occur when criminals trick victims into thinking they have gotten a job or promise them a job by
posing as employers/recruiters.
Scammers take advantage of their authority as potential employers and ask their victims to either transfer
money so they can manage their visa and health insurance, or provide them with their personally identifiable
information.
According to the FBI's Internet Crime Complaint Center, 16,012 people reported being victims of job scams in
2020, with losses amounting to more than $59 million.
What is the impact of job scams?
The impact of job scams varies depending on what the scammers get from their victims.
Your money
The impact can be a financial loss if the victim only transfers money. But providing personal information such
as photo ID or driver's license, bank account numbers and account information, social security number, home
address, and phone number may result in identity theft.
Always do an online search: search the company name, the employer, or the recruiter on Google (plus the
word ‘scam’, ‘review’, or ‘complaint’), LinkedIn, and Scamwatcher and see what pops up
Don't trust a job offer that sounds too good to be true: big pay for minimal skills
Do not pay for the promise of a job: if you are asked to pay visa, relocation, and insurance costs then it is
mostly a scam
Do not provide your bank details to a potential employer: the legitimate employer will only ask for your
bank details after you officially join the company
Do not accept an offer when you did not apply: In some cases, you may receive an email or phone call
stating that you are hired for a job for which you did not apply, this is definitely a scam
Do not share your social security number or other PII that may be used to access your accounts with
anyone who does not need to know this information
Connect with the company: When you see a job posting on social media purporting to be from a
company, you can email the company asking if the posting is legit before applying
The Analysis
The starting point for our analysis is a set of fake companies that operate in the UAE (you can find some of
them below):
Now let's use a few different OSINT tools and techniques to uncover the scam network, this time we will be
using:
Search engines
Passive DNS
Reverse whois
A few others
Resonance
Resonance is a powerful platform that continuously scans 4.29 billion IP addresses, helping organizations
gain visibility into their assets and relevant security findings about them. Resonance has a powerful machine-
learning engine that can identify relationships between all internet domains. This means that we can uncover
hundreds of fraudulent domains starting with just 1 domain. Click HERE if you are interested in seeing a
demo of spiderSilk Resonance!
Search engines
Let’s access the scam website, extract phone numbers, and email addresses, check the “about us” page, and
then search for that information using a few search engines such as Google and Bing to identify similar scam
sites.
By searching for the contents found in the “about us” without “DHL Express UAE” in Google, we identified 3
additional fake companies!
https://airconecttexpresdl.com/
https://www.escalateexpressdll.com/
https://bdcl-us.com/
Search engines are very powerful, we started with 1 scam website and end up with 4 of them, which is
amazing!
Passive DNS
Here we identify the domain IP address, then search passive DNS services such as VirusTotal and Mnemonic
to identify co-hosted domains that may also be related to the same scam.
We start by identifying the hosting server IP address, in this case, it’s 66.147.236.12
By researching Mnemonic, we identified that there are 989 domains hosted on the same server:
Note: As we found multiple job scam domains using hostnownow.com, a Nigerian hosting company as their
name server, we can assume that they are all operated under the same scam umbrella.
Reverse Whois
While whois lookup consists of identifying information such as domain registrar, registration date, and
registrant contact information from a domain name or IP address, reverse whois consists of retrieving all
domains that are connected to a given identifier such as registrant name, email address, and phone number.
The first thing that we notice is that the domain also uses "hostnownow.com" as a name server.
Now we will perform reverse whois lookup by searching for domains registered by email address:
[email protected]. We can use multiple sources such as Whoxy.com, Intelx.io and viewdns.info.
Whoxy uncovered 7 domains registered by the same email address, including umbrellainsurancellc.com, with
that information we can see that all these job scams are operated by the same people:
Hosting We
Domain Registrar Name Server MX
provider pa
.ht
gulfshore-energy.com OwnRegistrar hostnownow.com Hostrocket gulfshore-energy.com ext
or
.ht
sheikhmussafahoilgroup.com NameCheap Namecheaphosting.com NameCheap Zoho ext
or
.ht
ehelpconsultant.com OwnRegistrar hostnownow.com Reliablesite ehelpconsultant.com ext
or
.ht
duramtravels.com OwnRegistrar hostnownow.com Hostrocket Zoho ext
or
.ht
summerlinktravel.com NameCheap Namecheaphosting.com NameCheap Zoho ext
or
.ht
southseaenergyllc.com OwnRegistrar hostnownow.com Reliablesite southseaenergyllc.com ext
or
.ht
umbrellainsurancellc.com OwnRegistrar hostnownow.com Hostrocket Zoho ext
or
.ht
gulfintlmedicalcare.com OwnRegistrar hostnownow.com Reliablesite gulfintlmedicalcare.com ext
or
.ht
westernairimmgration.com OwnRegistrar hostnownow.com Hostrocket westernairimmgration.com ext
or
.ht
dhlexpressuae.com OwnRegistrar hostnownow.com Hostrocket dhlexpressuae.com ext
or
.ht
iconiqueimmigration.com OwnRegistrar hostnownow.com Hostrocket Zoho ext
or
.ht
panemiratesimmigrationservice.com OwnRegistrar hostnownow.com Hostrocket Zoho ext
or
Almost all domains use hostnownow.com (Nigerian provider) as their Name Server
Due to the different MX records and Hosting providers, we will focus our analysis on name server and website
paths.
Identifying all internet domains that are using hostnownow.com as their Name Server
To perform the security research we use ICANN CZDS (Centralized Zone Data Service) to obtain zone files
from different TLDs.
A zone file is a text file that contains mappings between the TLD domains and the respective name servers,
as seen in the following picture:
2242 of them are DOWN (some of them already have “account suspended” warning present)
Top 10 registrars
ownregistrar.com 726
PublicDomainRegistry.com 105
namecheap.com 89
dynadot.com 45
namesilo.com 38
publicdomainregistry.com 15
registrar.eu 6
porkbun.com 5
godaddy.com 4
1api.net 3
As you can see, over 70% of potential scam domains were registered through ownregistrer.com. Looking for
reviews on websites such as Trustpilot, we found bad reviews where people mention that the company
ignores the abuse reports and doesn’t take down malicious domains:
Top 10 IP addresses
104.194.10.93 153
66.147.238.212 138
104.243.35.168 137
66.147.239.119 133
66.147.236.12 119
66.147.230.55 114
104.194.9.178 101
66.147.238.174 93
66.147.238.157 61
199.59.243.220 1
Multiple IP reputation and threat intelligence sources already flagged most of these IP addresses as
malicious.
For example, the IP address 104.194.10.93 was flagged as related to “web app attacks”, “hacking”, and
“scanning activities” by the AbuseIPDB community:
The same IP address was also flagged to have a relationship to phishing and investment scam by the
VirusTotal community:
Email address [email protected] is related to scammers and all the 10 domains registered by that email
are scam websites:
Now we can perform reverse whois lookups on the identified scammer email addresses, to find scam
domains that are currently down, and then use google cache and wayback machine to get historical content
and keep pivoting to expand the scope further.
Targeted geolocations
By doing a keywords search (UAE, u.a.e, United Arab Emirates, +971, dubai, abu dhabi ..) on the 1050
potentially scam domains, we identified 188 domains that operate in the UAE.
We also fetched other scam domains and identified many phone numbers with different country codes: +44,
+1, +49, +27, +36 .. this would indicate that it is a worldwide scam.
Government: adedc-ae.com
Insurance: umbrellainsurancellc.com
School: sipsad.com
Suppliers: fivebeansproducts.com
And others
This would indicate that the scammers are not just targeting job applicants but also operate in different
directions and follow world events to scam people of their money.
Dubai Toronto
JLT, Liberty Village,
Mazaya Towers, BB1 # 3804, 60 Atlantic Avenue, #201,
Dubai, Toronto
UAE M6K 1X9,
Canada
(916) 296-5696
All trademarks and company names are the property of their respective owners.