If you’ve ever visited my LinkedIn you know that I admit to working for a “nameless detective agency” in Los Angeles. I haven’t displayed any of the stuff I’ve been doing, but this week I got something where I can make my findings public, a broad political spearphishing campaign.
The origin of the emails were obfuscated, but all anchored at mesrv.com. Using Maltego I found dozens of subdomains.
The Whois lookup for the domain was completely useless, a proxy registration intended to thwart diggers.
But this particular operator didn’t register clean at the start of this game. Hello, Mohammed Benyahia.
The other 21 domains associated with his name were available:
Domains are registered to firstname.lastname@example.org, and a quick scan shows that mesrv.com and tersea.com are quartered in the same place today. This gives me the sense I’ve got the right guy, it’s not like someone picked up the mesrv.com domain at random and put it to work using Benyahia’s business as a cover.
I visited tersea.com’s site and they conveniently revealed the @tersea Twitter account. It only took moments to find @Salutismo, Benyahia’s personal account, and then from there the rest fell out quickly.
Some of those are big media accounts, stripping those, it appears we’ve found some possible associates:
Among them, I most like Dany Tech aka Omar Salhane, since he’s locked down and that sounds like a Moroccan name, same as Benyahia. Small accounts like these, particularly long abandoned, are absolutely treasure, they’re a candid admission of how things were in the past, and only a really experienced player will know to clean up, or to salt their trail with fake stuff.
So that’s some initial recon. We’re looking for someone who can pick out who is important in a specific left leaning political organization and go at them hard. A Moroccan living in Paris with rented servers in Ireland? That doesn’t add up, so at this point I guess this guy is a service provider to many activities, perhaps some shady, and I change direction a bit.
If found thirteen IPv4 and two IPv6 addresses active for the twenty one domains.
I thought it would be interesting to employ ThreatCrowd, a Maltego transform that queries Alien Vault’s Open Threat Exchange. Two of the fifteen IPs came back hot – involved in malware campaigns. Notice the number of German domains here? All of Benyahia’s contacts are French speakers, so this looks like a generalized place for bad actors.
And the main teasea.com domain came back hot, too.
I think Benyahia is a fraudster, a spammer, but he doesn’t read like someone who goes hunting in the American political space. He probably sold some services to someone who did, and that’s a deeper level of digging required to expose the truth. I haven’t seen the details on the attempts so I can’t predict if I’ll be able to display them here, or if they’re specific enough to identify the target.
This sort of work is fun for me, like doing a puzzle where there’s a scavenger hunt for the pieces before I can even start.