Russian Indictments, American Pinholes

Original Research by Neal Rauhauser and Soychicka.

Special Prosecutor Robert Mueller has produced an indictment of thirteen employees of Internet Research Agency.

Initiated by President Trump, there was an immediate celebration that the investigation was over and that there was no collusion, since no Americans were indicted.

Then the indictment and plea bargain of California resident Ricky Pinedo became public. Operating a business that publicly offered ban evasion assistance for platforms like Ebay and privately trafficked in stolen identities, Pinedo is a self professed ‘ostrich’. It appears knew he was breaking laws but never imagined he’d take on a client like IRA.

There will clearly be follow on indictments given that Pinedo cooperated, but they have been set aside for the more important drama of the Rick Gates plea bargain and the imminent email hacking indictments.

Liberty Stratcom was still curious, however. So we processed both the IRA and Pinedo documents, looking for an opening which might lead to other Americans.

There is a pinhole on page 33 of the IRA indictment.

These are the fourteen email addresses used to create Paypal accounts used with the stolen identities Pinedo provided.

IRA-emails

We applied a variety of methods to them but the only one that yielded useful information was RiskIQ. (They have provided Liberty STRATCOM with expanded access, but you should be able to follow this trail with a free community account.)

The email that matters, pinhole #1, is wemakeweather@gmail.com.

This was used to register digitalfacelab.com, which was not resolvable when we started our research. It’s since turned up on a Chinese IP – perhaps someone noticed us poking around – or IRA is continuing its obstruction efforts.

The domain registration details as reported seem to be intentional concealment – the address listed is an empty lot and there are enough Jennifer Youngs in Des Moines to make sorting this out difficult at best.

digitalfacelab-registration

This is supposed to be a dead end but, like the slip of using an email involved in the ID theft to register a domain, another breadcrumb was dropped.

The domain might not resolve, but if you Google “digitalfacelab.com” you’ll find your way to yourdigitalface.com…and look at what’s on the front page.

unitedvetsofamerica-email

That’s an image, there is no way Google would pick up the text, but that’s another of the fourteen emails mentioned in the indictment – unitedvetsofamerica@gmail.com. That’s pinhole #2.

The last U.S. Registration of YourDigitalFace.com was by New Hampshire resident Scott Orlosk.

 

Another thread to pull is the spartan-style.com domain.

Spartanstyle.png

The registration was to Ahmed Radwan Muhamed, who has a total of a dozen domains to his name. We examined each of them and americanink.us might just be pinhole #3.

americaninkVPS

The records near the bottom with VPS in the name are a clue – that’s a virtual private server at 192.249.126.209.

Instead of the sort of massive pools of names found with CDNs like Cloudflare or domain parking/hosting operations like GoDaddy, this is a dedicated computer with just ten domains on it.

Turning Maltego loose on the domains found on that VPS we find some current hosting.

VPSmaltego

Follow the LinkedIn company trail and we find Carroll Bernard, president of Waypoint America LLC and cofounder of Govology.com.

The VPS is running the cPanel shared hosting environment, so it could be argued that Ahmed and Carroll have no idea who each other are, they just happen to be tenants on a new system InMotion Hosting recently installed. But such systems usually have hundreds of domains on them if they’re owned by a large hosting firm.

An inspection of the IP addresses from 192.249.126.200 through 192.249.126.219 revealed on a total of 98 DNS names in use among a dozen active addresses. None of this looks like large scale shared hosting, it’s small server rentals.

itemDpage24

Irina Viktorovna Kaverzina, one of the indicted Russians, told a family member on September 13th, 2017, that they had been caught in the act by the FBI, triggering an effort to obstruct any investigation. She further stated that she had successfully passed as an American in her online work.

Anything dated after that should be treated as possible dezinformatsiya, intentional junk meant to confuse any inquiry, and this is produced in such a volume as to crush the spirit of anyone trying to untangle it all. Even prior to that date this is an environment where the operators had a strong desire to avoid attribution. Everything in such situations should be treated as suspect and triple checked.

Are Scott Orlosk and Carroll Bernard similar to Ricky Pinedo, Americans who unwittingly helped put a Russian agent in the Oval Office? Or are they innocent bystanders who were left holding the bag by Kaverzina & Co?

Only time will tell, as the Mueller investigation is likely to focus on American ‘collaborators,’ having specifically cited a grass roots organisation in Texas as being of key interest.

This additionally ties back to our research around the domain DonaldTwump.com which appeared in 2015.

DonaldTwump2016-first-tweet-2015-12-21

The first step was seeing which trackers were in use for the domain.

There are three, one from Facebook, one active Google Analytics ID that does much the same work as the one from Facebook, and a second Google Analytics ID seen only on the donaldtwump.com domain. We believe that Google Analytics Ids are numbered in serial fashion and that the more active UA-60901920 is much older than the single use UA-71585680.

donaldtwump-BW-trackers

BuiltWith offers some assistance in terms of temporal relationships between trackers.

donaldtwump-BW-UA-60901920

And it’s clear that whomever is tracking the Trump organization’s domains has other “business interests.”

dildosbythepound-BW-trackers

When things are commingled like this it’s important to bring a lot of skepticism to any conclusions. We checked the backtrail on the donaldtwump.com domain. Proxy registration is in evidence today.

donaldtwump-registration-2017-09-24

But that wasn’t always the case.

donaldtwump-registration-2016-04-06

Keeping in mind that RiskIQ has passive inputs, we went to Whoxy for an active tracking of the domain and found the earliest available registration date.

It looks like Justin Barbour registered the domain on December 18th of 2015, then Whoxy got a batch update the next day. The associated @DonaldTwump2016 account first tweeted three days after that.

donaldtwump-whoxy-registration-2015-12-18

We examined the hosting history for the domain and got little out of that exercise. Sometimes one can find insight based on patterns seen there, but when the domain is hosted within GoDaddy, or behind a CDN like Cloudflare, there are thousands of unrelated domains in the pool of results.

Tugging on Barbour’s email, we found just eighteen domains in RiskIQ, and there isn’t any overlap with the Trump Organization – we know who handles Trump domains (not Barbour) and we know their normal methods (nothing like this).

Reading between the lines, it looks like Barbour registered a fun domain name, a matching Twitter account three days later, and when it took off he put on the single use Google Analytics.

The Trump Organization appears to have noticed this domain and purchased it.

The Trump organization has a broad, messy presence. There are a variety of political opposition research oriented domains that were proxy registered, but the reuse of the trackers means the targeted politicians are likely to know who is behind the work.

So, who is doing the tracking of these 414 domains?

BW-tracked-domains

The mix of names provides a geographic clue:

  • Over forty have Texas or TX in the domain name
  • Ten are connected to the Bank of San Antonio
  • The Bank of Austin has a single domain

We know that Trump’s new campaign manager, Brad Parscale, was formerly based in San Antonio and he is certainly in the special prosecutor’s zone of interest.

 

Advertisements