🕵️ OSINT Phishing Investigation: Case Study Report

Foreword

All names/contacts were replaced for privacy concerns, and pictures of any methods are not provided for the same reasons. This is not a highly technical investigation; it was more of a personal exercise in practicing OSINT with an actual application and relevance to a real-world scenario (not just a home lab or experimentation with tools).

Brief

An employee, John Doe, was solicited on WhatsApp by someone impersonating the CEO of CompanyX, Mark Smith. The conversation progressed into a request for John Doe to speak with a company-unaffiliated lawyer, Edward Lam, and keep the conversation confidential. The employee became suspicious and escalated the matter to management for verification. The incident was subsequently reported in an email chain with attached pictures and references to the conversation.

Social Engineering Method

Spear Phishing
Target-specific WhatsApp solicitation (direct message) to John Doe’s number, posing as the CEO of CompanyX.
Threat actor prolonged the chat with dynamic responses and a consistent tone.
Impersonated "Mark Smith" (used profile picture and a wrong number).
Scripted speech: Claimed a new acquisition was being worked on and requested John Doe’s assistance with strict confidentiality.
Attempted to have John Doe arrange a financial payment to a source after speaking with an individual (posing as a real lawyer named Edward Lam).

Conversation Timeline

Initial Contact: The attacker messaged John Doe on WhatsApp, claiming to be Mark Smith. The attacker immediately began making a request for John Doe's involvement in a fake financial move for CompanyX.
Engagement: The conversation included discussions about a supposed acquisition. The attacker encouraged John Doe to keep the information confidential.
Escalation: The attacker requested John Doe speak to a lawyer named Edward Lam to finalize financial arrangements.
Suspicion: John Doe found the conversation suspicious and escalated it to management.

Tactics Observed

Multiple high-level CompanyX employees targeted separately (as referenced by higher management).
Personalized and direct approach to increase trust.
Intelligence gathering to scope out individuals.
Use of buffer contacts to obscure the attacker’s identity.
Deliberate selection of targets aligned with acquisition/merger goals.

Possible Inspiration

CompanyX’s public acquisition history.
Legal FirmY’s blogs and articles discussing CompanyX (the only connection found between FirmY and CompanyX).
Shared breach information from previous data leaks.
The roles of John Doe and Jane Lam made them realistic candidates for involvement in mergers.

Names and Roles

Mark Smith (Impersonator): CEO who was impersonated. Public information available, high profile.
John Doe (Victim): Manager for a specific regional business with financial oversight. The attacker had access to his WhatsApp number. Email compromised: johndoe@companyx.com.
Martha Carter (Unaffiliated): The number used for Mark Smith belonged to this individual during background searching. Likely randomly selected from leaked data. No relevance to the case. Email compromised: marthacarter@juno.com, mcarter@sbcglobal.net.
Edward Lam (Unaffiliated, Likely Used as a Disguise): Lawyer at Legal FirmY. Specializes in mergers and acquisitions. No known connection to CompanyX. Email publicly available: edward.lam@firmy.com.

Companies

CompanyX: Targeted organization.
Legal FirmY: Referenced law organization in the conversation.
Unnamed Fake Company: Alleged acquisition target, only referenced in the conversation.

Evidence and Findings

Sources included people search sites, Google queries, and relevant articles. Have I Been Pwned was used to check for possible email compromises.

John Doe, Edward Lam, and Martha Carter all had their emails compromised in the following breaches:

2019 (Feb): Verifications.io breach
2019 (Oct): Data Enrichment Exposure from PDL Customer
2021: LinkedIn Scraped Data

Conclusion

The threat actors likely accessed leaked data to identify and target CompanyX. While the exact motivation remains unclear, the attackers demonstrated a working knowledge of CompanyX’s acquisition history and key personnel. Their tactics suggest deliberate use of public information and compromised credentials to craft a believable phishing attack. This case highlights the importance of safeguarding personal information and regularly monitoring data breach exposure. Organizations should maintain strong awareness of their public footprint and conduct tabletop exercises to strengthen resilience.

Potential Next Steps for Further Investigation

Analyze the attacker’s language and style for possible attribution, including links to known Advanced Persistent Threat (APT) groups.
Investigate additional breaches involving CompanyX employees to gather comprehensive intelligence.
Provide spear-phishing awareness training for employees, supplemented with practical exercises and case studies.