VPN-enabled advance fee fraud
Nutshell version: a group of criminals who appear to be in Mexico have created an entire fake law firm and deal flow in the U.S., with Photoshopped notary seals and wire instructions. They reportedly use ExpressVPN-- the owner of the IP block used by the suspects states that it leased the IP block to ExpressVPN under a Letter of Authorization. The suspects make money by causing victims to wire advance fees to Mexico as part of selling their timeshares, and possibly other transactions. My client has lost $70k or so thus far. He has received legit-looking documents, but upon even a cursory electronic inspection they are obvious forgeries. So this gang is savvy enough to steal money, but really reckless as well, which may explain why they are risking clicking on my links as well. I spoke with the lawyer who they are impersonating, and it was news to him that he is in New York City running a law firm considering that he retired in another state many years ago. So the suspects are offshore and I'm not sure what I can do. But I would still rather have their IP addresses than nothing. Can I have a recommendation on the best way to pursue user data from VPN providers such as ExpressVPN? I already sent in a notice to preserve logs for the involved ASN, and I'm headed to Federal court in the next few days to see if I have a chance to get even some of the victim's money back-- or at least an injunction shutting down the suspects' online presence. Any tips on getting VPN user data (or best practices in this type of situation) would be greatly appreciated. Best, Andrew Watters -- Andrew G. Watters Rællic Systems andrew@raellic.com +1 (415) 261-8527 https://www.raellic.com
On 3/19/22 21:23, Andrew G. Watters wrote:
Nutshell version: a group of criminals who appear to be in Mexico have created an entire fake law firm and deal flow in the U.S., with Photoshopped notary seals and wire instructions. They reportedly use ExpressVPN-- the owner of the IP block used by the suspects states that it leased the IP block to ExpressVPN under a Letter of Authorization.
The suspects make money by causing victims to wire advance fees to Mexico as part of selling their timeshares, and possibly other transactions. My client has lost $70k or so thus far.
At $70K losses I'd recommend getting law enforcement involved rather than trying to solve this DIY. There are likely other victims. -- Jay Hennigan - jay@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV
ExpressVPN does NOT and WILL NEVER log: IP addresses (source or VPN) Browsing history Traffic destination or metadata DNS queries We have carefully engineered our apps and VPN servers to categorically eliminate sensitive information. As a result, ExpressVPN can never be compelled to provide customer data that does not exist. On Mon, Mar 21, 2022, 7:11 AM Andrew G. Watters <andrew@raellic.com> wrote:
Nutshell version: a group of criminals who appear to be in Mexico have created an entire fake law firm and deal flow in the U.S., with Photoshopped notary seals and wire instructions. They reportedly use ExpressVPN-- the owner of the IP block used by the suspects states that it leased the IP block to ExpressVPN under a Letter of Authorization.
The suspects make money by causing victims to wire advance fees to Mexico as part of selling their timeshares, and possibly other transactions. My client has lost $70k or so thus far. He has received legit-looking documents, but upon even a cursory electronic inspection they are obvious forgeries. So this gang is savvy enough to steal money, but really reckless as well, which may explain why they are risking clicking on my links as well. I spoke with the lawyer who they are impersonating, and it was news to him that he is in New York City running a law firm considering that he retired in another state many years ago.
So the suspects are offshore and I'm not sure what I can do. But I would still rather have their IP addresses than nothing. Can I have a recommendation on the best way to pursue user data from VPN providers such as ExpressVPN? I already sent in a notice to preserve logs for the involved ASN, and I'm headed to Federal court in the next few days to see if I have a chance to get even some of the victim's money back-- or at least an injunction shutting down the suspects' online presence. Any tips on getting VPN user data (or best practices in this type of situation) would be greatly appreciated.
Best,
Andrew Watters
-- Andrew G. Watters Rællic Systems andrew@raellic.com +1 (415) 261-8527 https://www.raellic.com
What if they're actively connected and you get a subpoena? On Mon, Mar 21, 2022 at 1:30 PM TJ Trout <tj@pcguys.us> wrote:
ExpressVPN does NOT and WILL NEVER log: IP addresses (source or VPN)
Browsing history
Traffic destination or metadata
DNS queries
We have carefully engineered our apps and VPN servers to categorically eliminate sensitive information. As a result, ExpressVPN can never be compelled to provide customer data that does not exist.
On Mon, Mar 21, 2022, 7:11 AM Andrew G. Watters <andrew@raellic.com> wrote:
Nutshell version: a group of criminals who appear to be in Mexico have created an entire fake law firm and deal flow in the U.S., with Photoshopped notary seals and wire instructions. They reportedly use ExpressVPN-- the owner of the IP block used by the suspects states that it leased the IP block to ExpressVPN under a Letter of Authorization.
The suspects make money by causing victims to wire advance fees to Mexico as part of selling their timeshares, and possibly other transactions. My client has lost $70k or so thus far. He has received legit-looking documents, but upon even a cursory electronic inspection they are obvious forgeries. So this gang is savvy enough to steal money, but really reckless as well, which may explain why they are risking clicking on my links as well. I spoke with the lawyer who they are impersonating, and it was news to him that he is in New York City running a law firm considering that he retired in another state many years ago.
So the suspects are offshore and I'm not sure what I can do. But I would still rather have their IP addresses than nothing. Can I have a recommendation on the best way to pursue user data from VPN providers such as ExpressVPN? I already sent in a notice to preserve logs for the involved ASN, and I'm headed to Federal court in the next few days to see if I have a chance to get even some of the victim's money back-- or at least an injunction shutting down the suspects' online presence. Any tips on getting VPN user data (or best practices in this type of situation) would be greatly appreciated.
Best,
Andrew Watters
-- Andrew G. Watters Rællic Systems andrew@raellic.com +1 (415) 261-8527 https://www.raellic.com
On Mon, Mar 21, 2022 at 10:33 AM TJ Trout <tj@pcguys.us> wrote:
ExpressVPN does NOT and WILL NEVER log: IP addresses (source or VPN)
Browsing history
Traffic destination or metadata
DNS queries
We have carefully engineered our apps and VPN servers to categorically eliminate sensitive information. As a result, ExpressVPN can never be compelled to provide customer data that does not exist.
...until the NSL arrives. Matthew Kaufman
On 3/21/22 11:30 AM, TJ Trout wrote:
We have carefully engineered our apps and VPN servers to categorically eliminate sensitive information. As a result, ExpressVPN can never be compelled to provide customer data that does not exist.
I understand and appreciate your architecture. However, there seems to be one piece of information that you neglected / elided. What will ExpressVPN do regarding /established/ connections? I would expect that network flows / netstat / etc. could provide some information for current, established, and ongoing. -- Grant. . . . unix || die
On 3/21/22 11:00, Grant Taylor via NANOG wrote: ded.
What will ExpressVPN do regarding /established/ connections? I would expect that network flows / netstat / etc. could provide some information for current, established, and ongoing.
If their intent is not to have data available for analysis, and it sure sounds like it is, they aren't going to log flows or netstat. Data will be in RAM during the TCP session, then poof. -- Jay Hennigan - jay@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV
On 3/21/22 12:56 PM, Jay Hennigan wrote:
If their intent is not to have data available for analysis, and it sure sounds like it is, they aren't going to log flows or netstat. Data will be in RAM during the TCP session, then poof.
I largely agree regarding persistent storage. However, that doesn't preclude netstat / ss / tcpdump and the likes. There has to be /something/ correlating incoming and outgoing /active/ / /ongoing/ connections. I don't see anything speaking to that real-time data in their comments about architecture. -- Grant. . . . unix || die
of course, jay is right (in the US, anyway). vpn providers often keep the (verified) email address and ip addresses used for service establishment. expressVPN takes bitcoin and what look to me like several other anonymous payment schemes, and there are always prepaid debit cards. following the money sometimes helps. the more general problem is that, absent a govt regulator insisting that EVERYBODY do this (as in China) few service providers will want to do this voluntarily because it represents a cost to them which many of their competitors don’t have. (registrars are another example of a service provider with this conundrum.) On Mar 21, 2022, at 11:56 AM, Jay Hennigan <jay@west.net> wrote:
On 3/21/22 11:00, Grant Taylor via NANOG wrote: ded.
What will ExpressVPN do regarding /established/ connections? I would expect that network flows / netstat / etc. could provide some information for current, established, and ongoing.
If their intent is not to have data available for analysis, and it sure sounds like it is, they aren't going to log flows or netstat. Data will be in RAM during the TCP session, then poof.
-- Jay Hennigan - jay@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV
participants (7)
-
Andrew G. Watters
-
Grant Taylor
-
Jay Hennigan
-
Josh Luthman
-
Mark Seiden
-
Matthew Kaufman
-
TJ Trout