Using OSINT to Human Trafficking Investigation 0x02 - Job Scam and Dark Web

Disclaimer: This article is grounded in actual human trafficking cases. However, all data, company names, individuals, and other organizations mentioned are entirely fictitious to safeguard individuals and prevent potential legal repercussions.

I closely monitor numerous human trafficking investigations—a pervasive issue confronted by law enforcement agencies worldwide.

In a preceding article, I delved into OSINT-related concepts. Nevertheless, my efforts in this domain are merely recreational, serving as a way to challenge and enhance my OSINT skills.

If you wish to peruse my previous article, you can find it here:

Using OSINT for Human Trafficking Investigation (Part 1)

Now, let's embark on the practical and hands-on aspects of the article. It's important to note that all scenarios presented hereafter are entirely fictional.

Modus Operandi

Above is an example of a modus operandi regarding human trafficking:

1. Recruitment: This is the initial stage where victims are lured, coerced, or deceived into the trafficking situation. Recruiters often use false promises of employment, education, or a better life to exploit vulnerabilities.
2. Transportation: Victims are often moved from one location to another, either within a country or across international borders. This transportation is usually done secretly to avoid detection and is a critical part of the trafficking process.
3. Exploitation: Once victims are under the control of traffickers, they are subjected to various forms of exploitation. This can include forced labor, sexual exploitation, forced marriage, or even organ trafficking. The methods of control can be physical, psychological, or both.
4. For Profit: Human trafficking is a highly profitable criminal enterprise. Traffickers make money by exploiting the labor or bodies of their victims, often in illegal or underground industries. The profits generated from human trafficking can be significant, making it a lucrative criminal activity.

https://www.aic.gov.au/sites/default/files/2020-05/tandi436.pdf

Internet and Human Trafficking

Some criminal organizations harass people through social media and arranging fake meetings

The internet is also used by traffickers to connect with the targeted victims. Recruitment practices are widely reported upon, when it comes to both sexual exploitation and forced labour.352 Several methods have been identified, from direct contact to more devious and deceptive ploys. 31 out of the 79 court cases considered for this chapter report an element of online recruitment, affecting almost half of the total victims included in the database. Technology-based recruitment hinges on the anonymity of communications via the internet. It may prove difficult to identify the author of online advertisements or the genuine identity of people writing from social media accounts. An example of internet manipulation is described in one court case, where the trafficker used multiple online profiles to recruit the victims. The trafficker stayed in contact with each victim through two fake identities: one was used to write abusive text messages, while the other was used to express understanding and compassion. This technique was instrumental in building trust with the victims. The disclosure of personal information on social media platforms may easily be misused by traffickers. One group of traffickers, for instance, used Facebook to browse through user profiles and, on basis of the information that people shared, selected potential victims who could be more susceptible to being courted and tricked into exploitation.

An analysis of the court cases suggests that different types of internet platforms are used by traffickers. For the purposes of this chapter, three broad typologies of platforms have been identified:

? Social media, including Facebook, Myspace, Skype, WhatsApp and Vkontakte;

? Classified webpages for advertisement, referring to generic websites where individuals post advertisements or browse for items or services to buy or sell;

? Free-standing webpages, referring to websites created by traffickers that do not form part of larger domains

"CHAPTER V TRAFFICKERS USE OF THE INTERNET. [s.l: s.n.]. Available at: https://www.unodc.org/documents/data-and-analysis/tip/2021/GLOTiP_2020_Chapter5.pdf."

Investigating the profile of a human trafficker in Social Media

1. In this scenario, a recruiter messaged the victim, offering a high-paying job opportunity in Colombia.
2. The profile raises suspicion due to a lack of information about the company and the employee in question.

The initial step is to investigate the company rather than the employee, as confirming the existence of the company simplifies subsequent steps.

I used the name "Traffic" as an example of a company, randomly selected for our analysis.

Some individuals pose as recruiters from prominent companies or even small businesses with business opportunities. Hence, the extensive use of front companies to conceal these operations, specifically.

Many companies operate in tax havens like Curacao or the Cayman Islands. Additionally, they utilize other front businesses to deceive people, projecting an image of legitimacy and highly profitable enterprises. However, this is far from the truth.

Continuing the investigation, I added the recruiter's name and filtered by the country of residence using the Search LinkedIn Profiles Transform [Google]. Let's attempt to retrieve profiles associated with this name.

Above, we have the results. Now, the next step is to compile and analyze each one. However, it remains somewhat generic. To refine the search, I'll filter it by the company name. We can utilize the Transform Hub from PeopleDataLabs for this purpose.

Based on this specific filter, we can acquire more details about our profile by filtering through the name of a specific organization.

Additionally, we can conduct reverse image searches using the profile picture of the alleged recruiter.

I will use the Tineye tool for this process or Google Images itself.

Available at: https://tineye.com/ https://www.google.com/imghp?hl=en

Without apparent results, I can explore a test to determine if the photo was generated by an AI using the tool "Optic AI or Not."

Available at: https://www.aiornot.com/

I tested two images to verify the functionality of the tool. The first, supposedly from our recruiter, is flagged as AI-generated, while the second, featuring Kevin Mitnick, is recognized as human-made. This aspect is 100% conclusive in this particular lab setting, although false positives may still occur.

Now that we know our suspect is non-existent, let's delve deeper into the company investigation. This involves searching for feedback on the internet, checking business registry websites, identifying company partners, conducting OSINT on their profiles, analyzing the website domain with whois, and searching for related addresses and companies that might share the same location linked to the board of directors or employees. In essence, creating an investigative profile. However, in this article, I won't delve into corporate investigations; rather, I'll focus on social media. I may explore business investigations in-depth in a potential Part 4.

To continue, while scouring the company's name and the recruiter's name who offered this supposed job, I stumbled upon an internet forum, specifically on Reddit, where a user recounted a situation she experienced.

However, I noticed that she mentioned the same company in this forum but with a slightly different name. Consequently, I pursued the company name she referenced and was equally surprised to find the founder of the current company listed on the board of directors.

I utilized the Curacao Chamber website to check for registered companies in these tax havens.

Available at: https://www2.curacao-chamber.com/

Upon examining the site and conducting some scans based on these insights, I detected something interesting running on the server.

Investigating a marketplace on the Tor network

Using https://www.shodan.io/, I inputted the organization's name and proceeded to analyze the applications. To my surprise, there was an Onion-Location, essentially a way to notify users of the existence of a .onion version of the site for them to access. Following this, when accessing the site conventionally, we encounter a regular institutional website.

A website featuring articles, a login option, and even products available for purchase.

However, upon accessing the .onion site, I am redirected to a login screen. Being naturally curious, I decided to attempt a bypass to see where it leads. Consequently, I started studying the application, trying to find a way to bypass the login. Given that this is a straightforward site with an SQL database, my approach involves attempting an SQL Injection using a predefined list.

https://gist.github.com/rootsploit/99f53f59778211e6fe030e7c96c24211

As a result, I managed to execute a bypass and access the website through a SQL Injection vulnerability.

Upon scrutinizing the website, you encounter images of children in situations of trafficking and child exploitation. Many of the victims hail from Latin America, given that it's one of the hotspots for the abduction and kidnapping of children destined for countries such as the USA, Russia, and various Asian nations.

Disclaimer: The website is fictitious; I merely edited a real site that offers hacking/fraud services. There is no trade involving individuals or any content related to child exploitation, based on my analysis. The image is sourced from a Google stock photo and does not represent a real person.

Sites like this are seldom found on the TOR network, often requiring an exclusive invitation or utilizing other networks, primarily due to the notoriety that the TOR network has gained.

I took the cryptocurrency wallets and checked them on Chainabuse to investigate any reports these wallets might have. Available at: https://www.chainabuse.com/

Moreover, I can track the transactions that this wallet engages in to establish an investigative trail. Available at: https://blockstream.info/

Based on the information gathered, you can observe the flow of transactions, enabling you to trace and potentially identify other wallets associated with the group.

I utilized Onioff (https://github.com/k4m4/onioff) to inspect a range of other URLs to check if they are still online or offline, considering the website typically maintains a backup.

While I can use TorBot (https://github.com/DedSecInside/TorBot) for application crawling, I don't recommend doing this on any site, as it tends to trigger some undesirable alerts.

Another approach is searching for additional vulnerabilities on the site, especially to establish a backdoor, consequently gaining traceability power and observing interactions on the site.

Facebook Model Agency Scam

A commonly employed tactic by criminals and traffickers involves fake modeling agencies. Often, they approach adolescents aged 12 to 17 on Facebook, inviting them to a photo session at a specific location, promising substantial earnings and opportunities to travel abroad.

Advertisements are also posted in job groups, especially by fake recruiters, as illustrated in the case above. Of course, here, suspicion is heightened due to it being a less conventional network for finding employment opportunities, unlike LinkedIn.

An example that turned into a public prosecution investigation in Brazil illustrates the modus operandi of traffickers—offering employment through Facebook groups or even sending private messages. People I know closely have received numerous job opportunities, but when questioning the supposed recruiters about certain details, there are no more responses.

Some addresses lead you to abandoned warehouses, remote locations, or buildings without occupants. Widely employed by traffickers to set up their operations discreetly and avoid drawing too much attention.

Notices:

<https://www.childhood.org.br/safernet-alerta-para-golpe-internacional-de-falsas-agencias-de-modelo/>

<https://g1.globo.com/pr/parana/noticia/2022/06/29/trafico-de-pessoas-aliciadores-usam-redes-sociais-para-falsas-promessas-traumatizante-diz-vitima-que-conseguiu-fugir-saiba-como-denunciar.ghtml>

Tools used in this article:

1. Maltego: Allows mining and visualization of data to discover relationships in information.
2. Shodan: A search engine for internet-connected devices, enabling specific service searches.
3. TheHarvester: Collects information on emails, subdomains, hosts, and networks from various public sources.
4. SpiderFoot: Automates the collection of information from public sources for threat analysis.
5. OSINT Framework: A collection of tools for collecting and analyzing information from public sources.
6. Google Dorks: Specific search terms to extract particular information from Google.
7. FOCA (Fingerprinting Organizations with Collected Archives): Analyzes metadata in public documents to identify information about organizations.
8. Creepy: A geolocation tool based on social media data.
9. Wayback Machine: Allows viewing old versions of websites to track changes and history.
10. Social-Analyzer: Analyzes social networks to extract relevant information.
11. TinEye: A reverse image search tool to trace the origin of an image.
12. Datasploit: Tool to search and correlate information from various databases in a single interface.
13. Censys: Explores the internet to find connected devices, services, and networks.
14. Metagoofil: Extracts metadata from documents like PDFs to obtain information about the source.
15. Pipl: A people search tool that can gather information from various sources.
16. Recon-ng: Information reconnaissance framework that automates data collection.
17. OnionScan: Specialized in analyzing sites and services on the Tor network.
18. SilverEye Reddit Scraping: Specialized in Extract subreddits about theme defined in tool

These are some of the tools I utilized in this article. To keep the article from becoming too lengthy, as some individuals didn't appreciate my 20 to 30-minute content pieces, I attempted to summarize as much as possible here. However, I'm uncertain if it's sufficient, so I plan to break it down into parts.

Conclusion

The scenarios presented are crafted by me, though based on real cases investigated by the police. Of course, the modus operandi and the investigation process are entirely different; it takes years to reach a key individual and extract the necessary information to set up a capture and rescue operation if needed.

Nevertheless, I prefer to present things from a simpler perspective, drawing on what I've observed on the subject. I aim to illustrate how an ordinary user can leverage OSINT knowledge to avoid such dangers and stay vigilant.

In the upcoming articles, I plan to delve into more advanced topics, using OSINT to investigate groups or profiles on a broader scale, scrutinizing companies, classified websites, fake job listings, and even delving deeper into the TOR network. And, of course, if you're looking for content better than mine, I highly recommend checking out the Offensive OSINT and OSINT Combine blogs.

• Offensive OSINT
• OSINT Combine
• My ebooks: https://drive.google.com/drive/u/0/folders/12Mvq6kE2HJDwN2CZhEGWizyWt87YunkU