How I tracked down a "Romance Scammer" from Africa

in #ghana8 years ago (edited)

As an IT Consultant of 16 years, time to time you get some clients who have very insecure networks.

One day we inherited a new client. Windows 2008 server with RDP open from the outside. Client would complain their internet is slow, continuous dropped packets, etc. Upon viewing the logs, I can see constant brute force attacks via RDP port which immediately told me what was going on. After locking down firewall and removing access from the outside I noticed something interesting.

I found a strange local account on the server which was not the typical Guest or Administrator account. It appears someone has actually guessed the password and got in. I quickly reset the password and logged into the account to see what it was up to.

Upon logging in, I really couldn't find anything suspicious, no strange services running, no programs running in the background which would tell me a botnet was installed or anything like that. But, I did notice a chrome browser was installed. Typically on servers we like to keep everything vanilla. After launching chrome, I found some history of some Christian Dating sites and checked it out. To my surprise, the password was saved, but hidden with asterisks. Since it was using a chrome browser, it is easy to reveal the password, so with a couple edits and google searches I was able to log in!

I thought to myself, "Now, I caught this guy! some guy using a hacked RDP account to do some online dating and cheat on his wife!" His profile showed Caucasian male, 45 years old, etc etc"

I started viewing his chat messages, and other messages sent to potential females and some of the things were hilarious. It was quite amusing... actually, some of the things he said were quite good and had some game.


I was ready to turn this guy in, until I decided to use google images to search the profile picture, and found out this is actually a different guy all together! So, the investigation continues...

I was able to view the profile of the account and was able to find a gmail account...

Just to try, I launched google accounts and tried logging into that email address with the same password to the Christian dating site. IT WORKED! Upon logging in, I could see TONS of text messages with poor women via Google Voice. He was going by the name Abraham...


Some of these conversations were deep!! They were getting real good and juicy. He was pimpin them girls like nothing, he had mad game. I also noticed a pattern. Once he got someone really hooked, he would start making up reasons like how he is stuck due to passport issues, or other excuses which required some sort of monetary help. He would ask the women to send money to help him get out of sticky situations because he did not have access to his banks, or things like getting iphones bought for him. I even found where he would pay someone to register him to an online college and he would wire him double the amount of money to do it for him with some bogus reason! The guy was a pro! These poor old women, who were probably divorced wanted to start a new life with a good man on dating sites, and this guy would take advantage of them and sucker them into sending him goods or money!

Here is where it gets more interesting! Since, I was able to get access to the google account, I was also able to get to the Google Play store :) This allowed me to push a wonderful app called "Android Lost".

Android Lost is used to track your phone if its ever stolen or lost. Make it ring or wipe it, retrieve files from it, get it's GPS location. Even if the sim card is pulled, you can turn on the wifi, gps, etc etc and grab data from it.

Once I pushed out the app, all kinds of fun ensues.

I first sent a message to the phone, there is an option to make a message pop up on the screen even if it's locked. I put in a generic message, "Memory Error: 1293" Once you view this message and hit OK, it takes a picture from the front camera:

OMG, this guy is not a white Caucasian male, but some young Black/African male as you can see his face in confusion after reading the message and getting his picture snapped.

Next I wanted to find his location, so I requested that:







This guy lives in GHANA AFRICA!!! I did a google search of Ghana scammers, and GHANA ROMANCE SCAMMERS are a thing! http://ghana.usembassy.gov/romance_scam.html

For days I would track his movements gathering as much intel as possible to provide to the client!

I was able to pull his phone browser history, contacts, real phone number, his phone provider and cell phone information, his facebook, outbound calls, text messages, and also found out he was using a VPN service to hide his IP and/or get USA based IP addresses. I was able to log launch an FTP from his phone and start browsing his files. I was able to download his pictures, basically everything on an android phone!










After gathering as much info and evidence I could, I gave it to the client and explained the situation. What happened next I am not sure, since I shortly left the company afterwards for another position. But, even with some research I don't really know what you could do to someone that is in another country, another third world country albeit.

One thing is for sure. NEVER SAVE your password in a browser. and ALWAYS use 2 factor authentication!

Sort:  

I nearly be able to tell you what happened in the long-run. Nothing. The authorities just use these guys as levers against other criminals.

Great advice at the end and good for you to follow through. Back in the day when the 419 scams were more prevalent, I always egged them on and strung them along. I was able to track a few but its fun.

Congratulations @sungminz! You have received a personal award!

2 Years on Steemit
Click on the badge to view your Board of Honor.

Do you like SteemitBoard's project? Then Vote for its witness and get one more award!

Congratulations @sungminz! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 3 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Coin Marketplace

STEEM 0.24
TRX 0.21
JST 0.036
BTC 98210.68
ETH 3384.50
USDT 1.00
SBD 3.43