Avatar
An incident responder who's seeking opportunities to work in technology company!
Operator in Cookie Han Hoan
Admin in Cyber Mely, CyberSpace
Forensic at @World Wide Flags

MMO Scammer - OSINT Real Case

Real Case OSINT Blue Team Forensic
Published on 08 Sep 2024

Hi everyone, after playing with my lover 😂😂😂, my brother told me that I can post a writeup that I’ve made before about OSINT because his company said it was disclosure! This is an interesting case and I want to share it to you. Let’s start!

image

First, they gave us the website belongs to scammer: https[://]mymin[.]net:

image

With the first request: find Google Analytic ID of this website, we can find it easily by inspecting the website. For anyone doesn’t know GA ID will help developer manage website activities and analyse user’s behaviours, and it’s clear that GA code will be inside source code so that website can do everything I’ve told you before. Not waiting, I pressed Ctrl + U, and GA ID will start with GA or UA, so you just press Ctrl + F, type GA or UA and you will find it:

image

Next, we need to find the origin IP of this website. I guess many people will ask me like: “Hey Odin, I thought the real IP still there?”, if you learn a bit about website, you should know how developers keep them safe on the Internet. Because that, they must use proxy - which is same with a wall, no one can see it through, right? And in that case will be same, no attacker want to be arrested 😂😂😂 so they must use this to hide themselve on the Internet:

image

image

The problem here is how to find it? With my experience, sometimes attackers forgot to delete their old websites or some old DNS records, so they’re still public on the Internet. Because I checked DNS records as image above and got nothing, I took a part of that website and searched it:

image

I tried to take the keyword: “Cộng Đồng MYMIN” and searched it on Google:

image

You can see that there’s a website which has raw IP address, and to ensure that it’s a static IP, I tried to use dig again also edit /etc/hosts and access website again, if it points to that website directly, that’s the real IP. After trying, fortunately my thinking was correct so far:

image

image

image

Next, I dug this website deeper by using whois and I found admin informations:

image

Admin Information:

  • Name: Hau Nguyen
  • Home: 342A LE HONG PHONG, NHA TRANG
  • Phone number: 1206020905
  • Email: ilgbt.net@gmail.com

Moreover, I used shodan.io to find whether there’s any useful information or not, and I found that this website had another domain: ussv.net:

image

From here I used Wayback Machine to find its behaviours in the past and I found that this website worked very active in 2015-2017:

image

I took an event from this time and I got its interface:

image

This is one of login methods that was used frequently by scammer, even now it’s still happening. I tried going to register page and I found his Facebook:

image

image

Next, I continued to explore more and I found a big change in 2015:

image

In 08 October 2015, its background was changed also login method, beside I found some files in AddOn:

image

I downloaded it and tried to analyse and this is my summary:

image

image

image

There’s not much differences between two files, but in the first file it will disable Google protection method and in the second file it will load extension, and this is not good at all. Remember Facebook account we found before? I found a forum:

image

From here we can see another his username: ukesemeseke and to ensure this username and his Facebook don’t mention another man, I kept finding and I found a post to prove that they are one:

image

Moreover, in that post you can find his Youtube channel, videos mentioned about how to check Facebook accounts of people, and this is illegal:

image

Also I found his face when I watched his video 😂😂😂:

image

With username ukesemeseke I used sherlock, a framework support you finding username in another platforms:

image

After filtered this was all his available social medias:

  • https://mmo4me.com/threads/event-card-dt-haivl-chap-canh-duoiscammer.191472/page-4#post-3648364
  • https://mmo4me.com/threads/share-200-lan-check-acc-facebook-chuadung-stellar-free-5-nguoi.201689/#post-3842280
  • https://www.youtube.com/@AdminFriendlyUSS/videos
  • https://www.instagram.com/ukesemeseke/
  • https://www.freelancer.com/u/ukesemeseke
  • https://freesound.org/people/ukesemeseke/?downloaded_sounds=1
  • https://github.com/ukesemeseke
  • https://imgur.com/user/ukesemeseke/
  • https://bodyspace.bodybuilding.com/about-me/ukesemeseke
  • https://www.fiverr.com/ukesemeseke
  • https://www.smule.com/ukesemeseke
  • https://www.youtube.com/@jessesharp44

Above is my process when searching for information about this website. This is a very good case study for me because I can apply all the knowledge I have learned while playing CTF. Thank you my dear brother, Prismo, for giving me the opportunity to experience real problems. I really learned a lot from this case study. Thank you for reading my articles, if you have any questions, please contact me on Facebook.

See you in the next articles in the future. Bye!!! 🫀🫀🫀

related posts

all tags

AES Decrypt AKASEC BITSCTF BYUCTF Blue Team CTFtime Command and Control DES3 decrypt DFIR DUCTF Email forensic Forensic Git log HackTheBox ILSpy ImaginaryCTF JavaScript KCSC Macros Malware Memory Forensic MireaCTF Network Forensic OSCTF OSINT Powershell Python Real Case Redis Reverse Engineering Stealer TheCyberCoopCTF Threat Hunting TrueCrypt UIUCTF Vidar Virustotal Volatility WaniCTF WannaGame Wireshark Word Writeup dnSpy