Menu

An OSINT Analysis of a region focused job scam

Based on one of our recent internet-wide scans using the spiderSilk platform called Resonance, we identified
many key companies operating in the same field that share the same website template and content, but only
logos and contact information differ. This was really suspicious! Due to this, we went deeper in our
investigation around this finding and uncovered a significantly diverse & broad scam network.

In this article, we will explain how we uncovered the scam and then walk through our analysis.

Disclaimer: In this research, we are providing information about the infrastructure and modus operandi of
malicious actors, no personal information was exposed.

Table of contents
The SCAM

Job scams

What is a job scam?

What is the impact of job scams?
How to protect yourself from job scams?

The Analysis

Resonance
Search engines
 Passive DNS
Reverse Whois
Expanding the scope
Identifying all internet domains that are using hostnownow.com as their Name Server
Identifying potential scam domains
Targeted geolocations
Is this just a "job scam" network targetting job applicants exclusively?

About the Author

The SCAM
Let’s first walk you through the scam and how it is normally played out. Below are examples of legitimate and
fake websites that we have identified, notice that fake company websites are clones of legitimate websites.

Legitimate companies Fake companies

Gulf Energy SAOC: www.gulfenergy-

Gulf-Shore Energy: gulfshore-energy.com
int.com

HEISCO: www.heisco.com Sheikh Mussafah Oil & Gas Group: sheikhmussafahoilgroup.com

E-Help Consultancy & Migration Services-UAE:

ehelpconsultant.com

Royal Route Travel Agency LLC: www.royalroutetravel.com

Travco UAE: travcotravel.ae Iconique Immigration Services LLC: iconiqueimmigration.com

Pan-Emirates Immigration Services LLC:

panemiratesimmigrationservice.com

Tour Solution 4U LLC: toursolutions4u.com

Duram Travel Agency: duramtravels.com

Adventure Leisure Tourism:
www.altdubai.com SummerLink Travel and Tourism LLC:
www.summerlinktravel.com

Galaxy Insurance Brokers: Umbrella Insurance & Underwriters LLC:

www.galaxyinsurance.ae umbrellainsurancellc.com

Gulf Energy SAOC (website: www.gulfenergy-int.com, employees: 1025 ), an affiliate of National Energy
Services Reunited (NESR), is a well-known oilfield services company in the Middle East and North Africa
regions.
Gulf-Shore Energy Petroleum LLC (website: gulfshore-energy.com/) is a non-existent company using Gulf
Energy SAOC website content:

Let's dive in and understand the reason behind the creation of the fake websites.

On LinkedIn the search for “Gulf-Shore Energy Petroleum LLC” (the fake company) was unfruitful and we
didn’t find any mention of it.

On the other hand, searching for the “Gulf-Shore Energy Petroleum LLC” on Google, we identified the
following job offer:

A non-existent company offering a job is very suspicious, so let’s look up another fake company: Sheikh
Mussafah Oil & Gas Group (sheikhmussafahoilgroup.com) to get more insights.

By searching for “Sheikh Mussafah Oil & Gas Group” on Google, we found that one of the first results to
appear is a career page where job seekers can apply for jobs.
We also found that this fake company was reported twice on the “Scam Watcher” website
(https://www.scamwatcher.com/) as suspected job scam:

https://www.scamwatcher.com/scam/view/494199

https://www.scamwatcher.com/scam/view/495953

Both fake companies appear to be offering jobs. To uncover how the scam takes place, let’s search for the
travel agency: “Airfly Immigration Services Abu Dhabi” that was mentioned in the job offer:

As we are dealing with a job offer, LinkedIn would be a very valuable source of information as it is a popular
platform for job seekers who might discuss the job offers they have received.

Strangely, there was no company profile for that travel agency on LinkedIn:
While there is no company, we can find posts on LinkedIn, after our analysis, we discovered that the travel
agency is fake and is operated by scammers. It also appears to be part of another job scam this time branded
as “SHEIKHZACDIC OIL AND GAS COMPANY www.sheikhzacdicoil.com. They asked their victims to pay fees
ranging from 2 to 3 thousand dollars to cover the “Immigration Services” for the individual or for the family.

So let's recap: scammers target job seekers by creating fake company websites and offering high salaries to
candidates without an interview, and then ask them to contact a fake travel agency (that is also operated by
them) for the acquisition of visa and health insurance, which will request a payment for the visa and travel
fees.

Job scams
What is a job scam?

Job scams occur when criminals trick victims into thinking they have gotten a job or promise them a job by
posing as employers/recruiters.

Scammers take advantage of their authority as potential employers and ask their victims to either transfer
money so they can manage their visa and health insurance, or provide them with their personally identifiable
information.

According to the FBI's Internet Crime Complaint Center, 16,012 people reported being victims of job scams in
2020, with losses amounting to more than $59 million.
What is the impact of job scams?

The impact of job scams varies depending on what the scammers get from their victims.

Typically, job scammers are interested in two main things:

Your money

Your personal information

The impact can be a financial loss if the victim only transfers money. But providing personal information such
as photo ID or driver's license, bank account numbers and account information, social security number, home
address, and phone number may result in identity theft.

How to protect yourself from job scams?

The following are tips to help you avoid getting scammed:

Always do an online search: search the company name, the employer, or the recruiter on Google (plus the
word ‘scam’, ‘review’, or ‘complaint’), LinkedIn, and Scamwatcher and see what pops up

Don't trust a job offer that sounds too good to be true: big pay for minimal skills

Do not pay for the promise of a job: if you are asked to pay visa, relocation, and insurance costs then it is
mostly a scam

Reject offers that require no experience

Do not provide your bank details to a potential employer: the legitimate employer will only ask for your
bank details after you officially join the company

Do not accept an offer when you did not apply: In some cases, you may receive an email or phone call
stating that you are hired for a job for which you did not apply, this is definitely a scam

Do not share your social security number or other PII that may be used to access your accounts with
anyone who does not need to know this information

Connect with the company: When you see a job posting on social media purporting to be from a
company, you can email the company asking if the posting is legit before applying

The Analysis
The starting point for our analysis is a set of fake companies that operate in the UAE (you can find some of
them below):

gulfshore-energy.com (email: [email protected], phone number: +971567217845)

sheikhmussafahoilgroup.com (email: [email protected], phone number:

+971526024849)

ehelpconsultant.com (email: [email protected], phone number: +971524256573)

duramtravels.com (email: [email protected], phone number: +971521881096)

summerlinktravel.com (email: summerlinktravel.com, phone number: +971505860558; +971586576808)

 southseaenergyllc.com (email: [email protected], phone number: N/A)

umbrellainsurancellc.com (email: [email protected], phone number: N/A)

gulfintlmedicalcare.com (email: [email protected] , phone number: +971522956025)

westernairimmgration.com (email: [email protected];

[email protected], phone: +971551275296)

dhlexpressuae.com (email: [email protected] , phone number: +97152226464)

iconiqueimmigration.com (email: [email protected], phone number: +971589714537)

panemiratesimmigrationservice.com (email: [email protected], phone number:

+971558561934)

Now let's use a few different OSINT tools and techniques to uncover the scam network, this time we will be
using:

Our own platform, Resonance

Search engines

Passive DNS

Reverse whois

A few others

Resonance

Resonance is a powerful platform that continuously scans 4.29 billion IP addresses, helping organizations
gain visibility into their assets and relevant security findings about them. Resonance has a powerful machine-
learning engine that can identify relationships between all internet domains. This means that we can uncover
hundreds of fraudulent domains starting with just 1 domain. Click HERE if you are interested in seeing a
demo of spiderSilk Resonance!

Search engines

Let’s access the scam website, extract phone numbers, and email addresses, check the “about us” page, and
then search for that information using a few search engines such as Google and Bing to identify similar scam
sites.

Let’s take dhlexpressuae.com as a starting point:

By searching for the contents found in the “about us” without “DHL Express UAE” in Google, we identified 3
additional fake companies!

https://airconecttexpresdl.com/

https://www.escalateexpressdll.com/

https://bdcl-us.com/
Search engines are very powerful, we started with 1 scam website and end up with 4 of them, which is
amazing!

Passive DNS

Here we identify the domain IP address, then search passive DNS services such as VirusTotal and Mnemonic
to identify co-hosted domains that may also be related to the same scam.

Let’s take gulfshore-energy.com as a starting point.

We start by identifying the hosting server IP address, in this case, it’s 66.147.236.12

By researching Mnemonic, we identified that there are 989 domains hosted on the same server:

One of the first things we noticed is that duramtravels.com, umbrellainsurancellc.com, and

iconiqueimmigration.com (the fake domains we used as a starting point) are hosted on the same server with
gulfshore-energy.com.

Note: As we found multiple job scam domains using hostnownow.com, a Nigerian hosting company as their
name server, we can assume that they are all operated under the same scam umbrella.

Reverse Whois
While whois lookup consists of identifying information such as domain registrar, registration date, and
registrant contact information from a domain name or IP address, reverse whois consists of retrieving all
domains that are connected to a given identifier such as registrant name, email address, and phone number.

Let’s take ehelpconsultant.com as a starting point.

Whois output for the domain is the following:

Registrar: OwnRegistrar, Inc.

Registered On: 2022-08-05

Name Servers: ns23.hostnownow.com; ns24.hostnownow.com

Registrant name: pere musa

Registrant email address: [email protected]

Registrant Phone: +234-504730043

Registrant country: Nigeria

The first thing that we notice is that the domain also uses "hostnownow.com" as a name server.

Now we will perform reverse whois lookup by searching for domains registered by email address:
[email protected]. We can use multiple sources such as Whoxy.com, Intelx.io and viewdns.info.
Whoxy uncovered 7 domains registered by the same email address, including umbrellainsurancellc.com, with
that information we can see that all these job scams are operated by the same people:

Expanding the scope

In order to identify the broad scam network, we need to look for pattern matching between initially identified
domains

Hosting We
Domain Registrar Name Server MX
provider pa

.ht
gulfshore-energy.com OwnRegistrar hostnownow.com Hostrocket gulfshore-energy.com ext
or

.ht
sheikhmussafahoilgroup.com NameCheap Namecheaphosting.com NameCheap Zoho ext
or

.ht
ehelpconsultant.com OwnRegistrar hostnownow.com Reliablesite ehelpconsultant.com ext
or

.ht
duramtravels.com OwnRegistrar hostnownow.com Hostrocket Zoho ext
or

.ht
summerlinktravel.com NameCheap Namecheaphosting.com NameCheap Zoho ext
or

.ht
southseaenergyllc.com OwnRegistrar hostnownow.com Reliablesite southseaenergyllc.com ext
or

.ht
umbrellainsurancellc.com OwnRegistrar hostnownow.com Hostrocket Zoho ext
or

.ht
gulfintlmedicalcare.com OwnRegistrar hostnownow.com Reliablesite gulfintlmedicalcare.com ext
or

.ht
westernairimmgration.com OwnRegistrar hostnownow.com Hostrocket westernairimmgration.com ext
or
 .ht
dhlexpressuae.com OwnRegistrar hostnownow.com Hostrocket dhlexpressuae.com ext
or

.ht
iconiqueimmigration.com OwnRegistrar hostnownow.com Hostrocket Zoho ext
or

.ht
panemiratesimmigrationservice.com OwnRegistrar hostnownow.com Hostrocket Zoho ext
or

By doing the above analysis, we find the most common patterns:

Almost all domains use hostnownow.com (Nigerian provider) as their Name Server

The website paths are always .html or #

Due to the different MX records and Hosting providers, we will focus our analysis on name server and website
paths.

Identifying all internet domains that are using hostnownow.com as their Name Server

To perform the security research we use ICANN CZDS (Centralized Zone Data Service) to obtain zone files
from different TLDs.

A zone file is a text file that contains mappings between the TLD domains and the respective name servers,
as seen in the following picture:

Let's now talk in numbers:

5349 domains use hostnownow.com as their name server

3107 of them are UP

2242 of them are DOWN (some of them already have “account suspended” warning present)

Now let's continue our analysis on those 3107 working domains.

Identifying potential scam domains

Out of those 3107 domains that have the relevant name server, we identified 1050 domains that share the
same scam path patterns, so we classified them as a potential scam.
Below we have the information about the Registrar and the number of potential scam domains.

Top 10 registrars

Registrar Potential scam domains

ownregistrar.com 726

PublicDomainRegistry.com 105

namecheap.com 89

dynadot.com 45

namesilo.com 38

publicdomainregistry.com 15

registrar.eu 6

porkbun.com 5

godaddy.com 4

1api.net 3

As you can see, over 70% of potential scam domains were registered through ownregistrer.com. Looking for
reviews on websites such as Trustpilot, we found bad reviews where people mention that the company
ignores the abuse reports and doesn’t take down malicious domains:
Top 10 IP addresses

IP Address Potential scam domains

104.194.10.93 153

66.147.238.212 138

104.243.35.168 137

66.147.239.119 133

66.147.236.12 119

66.147.230.55 114

104.194.9.178 101

66.147.238.174 93

66.147.238.157 61

199.59.243.220 1

Multiple IP reputation and threat intelligence sources already flagged most of these IP addresses as
malicious.

For example, the IP address 104.194.10.93 was flagged as related to “web app attacks”, “hacking”, and
“scanning activities” by the AbuseIPDB community:
The same IP address was also flagged to have a relationship to phishing and investment scam by the
VirusTotal community:

Top 10 registrant email addresses

Email Address Potential scam domains

[email protected] 10

[email protected] 8

[email protected] 8

[email protected] 7

[email protected] 7

[email protected] 7

[email protected] 7

[email protected] 6

[email protected] 6

[email protected] 6

Email address [email protected] is related to scammers and all the 10 domains registered by that email
are scam websites:

a1speeddelivery.online ( registered on 13/04/2022)

aritlineshipping.online ( registered on 02/04/2022)

doctorpatrickniklas.online ( registered on 02/04/2022)

 dpdshipment.online ( registered on 10/04/2022)

e87mathibelafinancialservices.online ( registered on 21/04/2022)

fivebeansproducts.com ( registered on 21/03/2022)

givingsupportukr.online ( registered on 10/04/2022)

globalswiftlogistics.online ( registered on 21/03/2022)

wetlandsecuritylogistics.com ( registered on 19/04/2022)

xpressimpactlogistics.online ( registered on 21/04/2022)

Now we can perform reverse whois lookups on the identified scammer email addresses, to find scam
domains that are currently down, and then use google cache and wayback machine to get historical content
and keep pivoting to expand the scope further.

Targeted geolocations
By doing a keywords search (UAE, u.a.e, United Arab Emirates, +971, dubai, abu dhabi ..) on the 1050
potentially scam domains, we identified 188 domains that operate in the UAE.

We also fetched other scam domains and identified many phone numbers with different country codes: +44,
+1, +49, +27, +36 .. this would indicate that it is a worldwide scam.

Is this just a "job scam" network targetting job applicants

exclusively?
After reviewing other domains, we’ve detected different categories of cloned websites,

Government: adedc-ae.com

Investment: mcei-uae.com, 247megacryptosignal.com, eliteforexxtrading.com

Financial: denvbk.com, e87mathibelafinancialservices.online, creditgrantaccess.com

Insurance: umbrellainsurancellc.com

Ukraine support: givingsupportukr.online

Medical: westernmedicalspecialisthosp.com, gulfintlmedicalcare.com

School: sipsad.com

Suppliers: fivebeansproducts.com

And others

This would indicate that the scammers are not just targeting job applicants but also operate in different
directions and follow world events to scam people of their money.

About the Author

Abdelkader Ben Ali is a Senior Security Engineer with spiderSilk, an emerging leader in attack surface
management and threat detection. Abdelkader is an expert in his field and before coming to spiderSilk,
he was in charge of threat intelligence at ODDO BHF a Franco-German investment bank. His areas of
 expertise include monitoring the dark web, underground forums, marketplaces, and telegram for data
leakage and potential attack vectors.

HOME ABOUT PRODUCT SERVICE NEWS CONTACT US

Dubai Toronto
JLT, Liberty Village,
Mazaya Towers, BB1 # 3804, 60 Atlantic Avenue, #201,
Dubai, Toronto
UAE M6K 1X9,
Canada

+971 4 878 6050 (905) 601-2333

San Francisco Get in Touch

580 California Street [email protected]
#1201 Suite,
San Francisco
CA 94104
USA

(916) 296-5696

© 2023 All Rights Reserved spiderSilk Security DMCC.

All trademarks and company names are the property of their respective owners.