‘It just keeps getting better’

Using linguistics to trace potential online fraud factories

An O S I N T blog by I N T E L P O O L

Photo by Meritt Thomas on Unsplash

BITIN TRUST MINING LTD

On 27 February 2020, the Belize International Financial Services Commission (IFSC) published a WARNING NOTICE concerning the company BITIN TRUST MINING LTD. The Warning text states: “The entity listed below is not licensed under the IFSC Act to provide, carry on, transact, or hold itself out as providing, carrying on, or transacting any of the international financial services as set out in the Schedule of the IFSC Act in or from within Belize. Members of the public who transact business with this entity do so at their own risk.”

Image taken from Belize IFSC website on 3 June 2020

The BITINTRUST website displays misleading content, such as incorrect addresses and what appears to be stock imagery to portray so-called ‘Mining Managers’. For example, one testimony includes an image of ‘Victoria — Senior Account Manager’ — but further research against the image used appears to be that of a Romanian actress named ‘Miruna Maura’.

TIP: This research is conducted using the ‘reverse image search’ technique of matching an image to other identical images on the internet through search engines, such as Yandex Images, Google Images and Bing Images. For a step-by-step guide on this technique, watch this excellent ’10 Minute Tip’ video by the fabulous OSINT CURIOUS PROJECT.

‘Victoria’

Spot the difference

“Miruna Maura’

Further research reveals the presence of a ‘Miruna Maura’ on Social Media platforms, including Facebook as ‘@MauraTrocan’ and Linkedin as ‘Miruna Maura B.’ aka ‘Maura Barbulescu’, where she appears to be highly experienced in marketing and crypto-related matters.

‘Maura Trocan’ Facebook page and the elephant in the room

‘Miruna Maura B.’ aka “Maura Barbulescu’ Linkedin page

Given that we already know from the IFSC Warning that the BITINTRUST site is using a fraudulent Belize financial services license, I am not going to speculate about the true name or role of Victoria/Miruna, as there may be a perfectly legitimate explanation for her different appearances and roles.

I shall therefore focus on the actual aim of this blog, to attempt to identify other potentially fraudulent Forex trading services sites using some simple linguistic research techniques based upon the details found on the BITINTRUST website. According to the Financial Services Authority in St Vincent & The Grenadines, phony success stories from fictional customers are one of a list of warning signs of a Forex scam.

On the topic of linguistic analysis and fraud, I would also like to point out this 2010 study titled ‘Identification of fraudulent financial statements using linguistic credibility analysis’ and this 2016 study ‘The Language of Deceivers: Linguistic Features of Crowdfunding Scams’. Interestingly, the latter study suggests that scammers are less likely to include typographical errors. I would argue that there is still space for debate on that issue.

As a first step, I check the BITINTRUST domain using urlscan.io,. Once the scan has been completed, I select the ‘full image’ screenshot option, which gives me the following image:

Urlscan.io ‘full image’ screenshot of the BITINTRUST website.

I also note on urlscan.io that the Transport Layer Security (TLS) certificate was issued by ‘Sectigo RSA Domain Validation Secure’. I briefly digressed and visited the BITINTRUST website itself and checked the certificate which expires on 5 June 2021. I noticed that the website ownership information was not provided.

TIP: When researching multiple websites providing identical or very similar content, it is useful to research the TLS certificate (also known as the SSL — Secure Sockets Layer). This can be achieved by clicking on the padlock symbol to the left of the Uniform Resource Locator (URL) and viewing the certificate details. This may provide information or clues about the overarching ownership or control of websites.

I subsequently researched a few of the TLS certificates of the other sites reviewed as part of this report and noticed they were also using the ‘Sectigo RSA Domain Validation Secure’ TLS certificate and also did not provide the website ownership information. Other websites reviewed used TLS licenses provided by COMODO CA, which is now actually also operating under the brand of Sectigo.

Here are some examples of the TLS certificates viewed, though it should be noted that this is only a small sample of all of the websites mentioned in this report and should not be viewed as being fully representative of all sites:

All reviewed paths lead to Sectigo Limited TSL Certificates

Back to the urlscan.io result for BITINTRUST. Upon selecting the ‘Content’ option within the urlscan.io result, I get a nice format-free text content from the website (which I also verified as being correct from separate research against the website itself). The screenshot below contains an extract of the relevant ‘text content’.

Screenshot from urlscan.io result for BITINTRUST[.]COM website

The screenshot above displays the highlighted section of text ‘it just keeps getting better. Made over 4 withdarwals’ [sic]. The quote is apparently made by London-based ‘Davison’. I chose this section of text as it contains a significant string of words including:

• more than one sentence;
• punctuation;
• the start of a new sentence; and
• a typographical error.

The above criteria increase the chances of this being a unique string of text — by which I mean, I would not expect to see too many matches in OSINT-based research given the linguistic syntax AND typographical error. I would reasonably expect to see a few hits of the same quote from the same person, as it may be a phrase they have used in cut-and-paste style without realising their error. So let’s give this string of text a run for its money and see what it produces.

Breakdown of Google Search Results

A Google search conducted on 6 June 2020 for the whole string of text “it just keeps getting better. Made over 4 withdarwals” produced ‘about 39 results’ (quoting Google). Certainly more than I had anticipated. But even more interesting is the specific type of product this text string is linked to: Forex Trading / Binary Options, Crypto and Crypto Mining.

Google search engine results screenshots taken on 6 June 2020

Removing the Google filter for ‘not displaying similar results’, I actually get a total of about 88 hits.

Unfiltered Google results screenshot taken 6 June 2020

Here is a list of all relevant URLs captured during the exercise (with obvious duplicate results removed by myself) — all of which contain the exact same string of text chosen for this research. In some instances, I have added additional information where it was immediately available to me on the page viewed.

1. https://www.24mastersoptions.com/ Address: 3900 NW Blitchton Rd Ocala FL 34475
2. https://www.cryptoxpertz.com/
3. https://www.brynamics.xyz/mining/
4. https://alpsfx.com/ Belize Licenses IFSC/84/372/JS & IFSC/84/372/SPS
5. https://cointradeoption.com/
6. http://crypto-minefield.com/
7. https://www.en.360optionz.com/
8. https://24hourstrades.com/index.php
9. https://megacryptotrades.com/about
10. http://surefxcapital.com/
11. https://cryptofeed.xyz/coinexx-forex/
12. https://www.icotradeoptions.com/ Address: 3900 NW Blitchton Rd Ocala FL 34475
13. https://turnmining.com/contact-us/
14. https://alphacryptotrades.net/
15. https://bitcapitaloptions.com/
16. https://coindeskoption.com/ Belize licenses IFSC/60/345/TC & IFSC/60/315/AEM
17. https://www.solflexfx.com/
18. https://247hashrate.io/
19. http://www.exclusivetradeoptions.com/
20. https://cryptextradings.com/
21. https://iqbitoptions.com/
22. http://sway-group.org/
23. https://coinexx.net/index.php
24. https://pipoptions.trade/ Belize Licenses IFSC/84/372/JS & IFSC/84/372/SPS
25. https://crystaltradings.com/
26. https://www.globaltrade-ally.com/ Belize Licenses IFSC/84/372/JS & IFSC/84/372/SPS
27. https://www.maxcryptotrade.com/
28. https://www.binarysignalsandinvestment.com/
29. https://cryptoassetsltd.vip/account/register
30. https://optimatradings.com/
31. https://www.capitalfxoption24.com/
32. https://cryptoxoptions.com/
33. https://cryptonextrading.com/index.php
34. https://btcinvest.world/
35. https://windexcloudfx.com/
36. https://24optionsbins.com/
37. https://cryptooptionstradeon.com/
38. https://www.astroncoin.com/
39. http://profitwalletoption.com/
40. https://cryptbooster.com/
41. https://peakcapitaloption.com/ Address: S Indianapolis Ave Chicago, IL 60617
42. https://prudentialcapitaloption.com/ Address: S Indianapolis Ave Chicago, IL 60617
43. https://fxtradecryptocurrency.com/
44. https://cryptoworldoptions.com/ Address: S Indianapolis Ave Chicago, IL 60617
45. https://solflexfxinvest.online/
46. https://coinxoption.com/
47. https://dawinoption.com/
48. https://envestbitcoin.com/
49. https://fxbitcoininvestment.com/
50. https://netho.me/etorooption.com
51. https://astroncoin.com/
52. https://binafxoptions.com/
53. https://cryptoultimateiq.com/ Address: S Indianapolis Ave Chicago, IL 60617
54. http://www.ultimatecoininvestment.com/
55. https://stockfxlimited.com/
56. https://binatradeoption.online/ (Under maintenance)
57. https://www.coinetera.com/ (Suspended)
58. https://coinifymarket.com/
59. http://www.longsmartinvestment.com/
60. https://titan-options.com/ — Address: S Indianapolis Ave Chicago, IL 60617
61. https://creditsaptry.site/so-darn-easy-forex-trade-alert/forex-trading-world-master.php — Available in Google Cache view as url not working.
62. http://247bitoption.com/

All of the websites identified in the list above as displaying IFSC Belize regulated licenses provide details of different UK company registration numbers — all of which do not appear to match the nature of business in their listings on Companies House. I therefore suspect that the displayed UK company numbers are likely to be incorrect/falsified information.

A number of the reviewed web pages displayed an identical structure and information. The only exception being the changing of the name of the website. As an example, 5 identical web pages contained the contact address S Indianapolis Ave Chicago, IL 60617. These are listed above. The identical nature of these sites may have a legitimate reason — for example, the structure of the website may be sold to different clients by a single webmaster. However, the identical contact address and the same references including typos across the whole spectrum of the websites using them make this less likely.

In addition to the extra comments made against some entries in the list above, and given the large number of results, I have chosen to review a sample of 10 websites more closely. These are listed below.

24mastersoptions.com

Here we see the statement in full from ‘Kate Roberts’ in North Carolina.

Here is an additional statement by ‘Charles Goodman’.

cryptoxpertz.com

Here we see the same statement in full from ‘James Mbali’ (far right)

Note the statement on the left by ‘Victor Idan’ contains the exact phrase “This is the real definition of being top notch. I literally watched my account blossom into what it is today” as that used by ‘Charles Goodman’ on 24mastersoptions.com highlighted above. This means there are at least two separate but identical phrases in use under different names on both websites.

brynamics.xyz

Here we see the researched phrase in full from an unnamed male.

And here the other statement featuring the exact same phrase as that used by ‘Charles Goodman’ and ‘Victor Idan’ above. This time by an unnamed female.

24hourstrades.com

The two previously highlighted identical phrases and an additional one, which also features on other websites listed in this report.

24hashrate.io

At this halfway point, the picture is becoming clear that we are most likely dealing with ‘phony success stories’ — as described by the Financial Services Authority in St Vincent & The Grenadines. So as an additional spot-check, I decided to reverse search the face of the blonde female in the picture directly above.

It turns out she is quite a prolific testimonial writer and has different names — over one hundred matching images were found in this Google search.

Screenshot of a sample of Google Image reverse search results for the female with blonde hair (6 June 2020)

surefxcapital.com

This time it is Philip Michael. Just the one phony success story this time.

cryptofeed.xyz

No name or photograph but the text remains the same

turnmining.com

Interesting — a Bitcoin Wallet address!

Welcoming ‘Kimberly McNatt’ to the party!

According to Blockchain.com, the Bitcoin wallet ID 15FjZzSZS31QBVcQ4a9hSyVTu4TWfr2jPS displayed above has made two transactions — both on 4 June 2020. These two transactions include a credit of 0.00475835 BTC from wallet ID 3Mp3CxnFi55UzpNb5z2G7eZrCwJP7imBt9 at 05:57.

Six minutes later, at 06:03, the whole amount is then forwarded on to two separate wallets, with 0.00466525 BTC sent to wallet ID 3DFsd7ECbsPR2GTnw44GuYJDmUEpW1a9bU and 0.00008629 BTC sent to wallet ID 16pFogPDtH1ZyF4LN3a7dcGJSg5xBmjJUu .

And, not forgetting, we also see the same phony success story — this time from Kimberly MCNATT.

globaltrade-ally.com

Here we see Jhonatan Mejia using our phony success story phrase.

We also see two of the other phony phrases previously identified in this report. I also checked Jhonatan Mejia’s Facebook account, which made me wonder about its authenticity. I did a reverse search on his image (as displayed in the round picture at the top right of the screenshot above) and I got the identical photograph associated with a completely different name. There may be a legitimate reason for this, so I am not willing to make a judgement on this. I think it just needed bringing to attention.

iqbitoptions.com/

More names, more faces. Same old phony success story statements. But notice the backgrounds!

I couldn’t help but notice that all of the photos have a rock backdrop — it is as though they were all taken in the same location. Using Google reverse image search techniques, I found the four photographs (among others) on this GeeksEngine.com tutorial on ‘How to export Northwind Access database to MySQL’. Being concerned with potential privacy data breach issues, I identified that the Northwind Access database is a sample database provided with the Microsoft Office suite.

I guess you learn something new every day.

Conclusion

The research techniques used have uncovered a large number of websites engaging in similar activities — predominantly Forex / Binary Options / crypto / crypto mining activities. Many of these websites contain identical layouts and linguistic components (apart from a change in the displayed website name). Some share the same address details and some share the same Belize IFSC licence details.

I would recommend further research into the TLS licenses, as well as the names and images used for testimonies, as they may yield even more results. Also, the Bitcoin wallet address has identified other wallets which may form part of a wider transaction picture. Hopefully as a reader of this report, you will have developed your own taste for this type of research and may wish to add your own findings.

It is too easy to simply jump to conclusions and suggest that all of these websites may be fraudulent. There may be perfectly legitimate reasons for some of these similarities.I am therefore not saying that these websites are fraudulent. I am merely highlighting the fact that, given the evidence presented in this report, there may be an increased risk due to the presence of ‘phony success story’ testimonies.

I strongly believe that any potential end users of the services offered by these websites should be presented with the big picture, i.e. the frequency of such statements and the similarities across the different sites. If viewed in isolation, they could be interpreted as a unique sales pitch by the financial services on offer — which would simply not be the case given the multitude of websites claiming exactly the same success stories. Therefore, in accordance with the warnings issued by the Belize International Financial Services Commission (IFSC) and the Financial Services Authority in St Vincent & The Grenadines, I believe it is important to highlight to members of the public who transact business with any of these entities, that they should do so at their own risk”.

Stay safe.

© INTELPOOL