Or how to track down a fake ID site…
Nowadays a private investigator will rely to some degree on the Internet and IT in the course of his or her work. If the job had an entry exam this would be a compulsory subject.
My private eye character Moss Reid is no exception, and everything from basic web searches to more complicated computer forensics turn up in many of his cases.
Take one specific problem: my recent series of posts about fake documentation. You know the kind of thing: false passports, ID cards and so on. In the shady underworld of crime fiction it may be more dramatic to have a face-to-face encounter for this, down some dark alleyway or in a little backstreet workshop or grubby lockup. But in reality these transactions are more likely to take place online.
Now suppose your PI character needs to track down one of these online businesses. It’s a fairly routine task, surely, so what kind of practical steps would Moss Reid need to take? Or, strictly speaking, what would he get his long-suffering techie sidekick Maggie Dardis to do, and what kinds of online tools would she use?
For the following example let’s try to keep it real: I’ll use an actual domain name mentioned in yesterday’s blog post: IrishFakeID.com.
(Some techie people would find the following account boring or pedestrian – or they’d have much better tools and sites and techniques to use. Fine. But this is exactly the kind of plodding research that I do, and that Moss himself would probably have to do – as neither of us is a technology wizard.)
(Oh yeah: bear in mind, too, that it’s all just backgrounder stuff – the kind of basic research worth doing to find out what is and isn’t feasible and likely, but not worth bogging down the final story with all the
gory boring details.)
At first Moss and Maggie have little to go on. No emails from the site in question, so no email headers to check. All they have is a domain name. They’d start by asking questions such as:
- How long has the site been running?
- Whose name is it registered in?
- Can we find out more about this person?
- Do they have a physical address?
- Are there further business/company details?
- Is there a physical address for where the website is hosted?
- Does this operation run other associated websites too?
Domain name registration: whois
So our intrepid pair would start by looking up the domain name’s registration details. In techie terms this is called “whois”. Maggie’s preferred tool for this would probably be the “whois” tool of Network Solutions.
This reveals a few dates; for example, the Irishfakeid.com domain name appears to have been first registered on 30 April 2009.
We now also have a registration address. It’s in Paris, at 63-65 boulevard Massena, with a postal code. Somewhere that we could even look up on Google Maps and Streetview. And we have a registrant/admin name: one Felix Nasmyth.
By this stage they would probably be googling his name and this postal address. This turns up the registration details of several more sites:
These in turn can be checked, again using whois. A picture is building up, of a cluster of online businesses.
Then Moss and Maggie go down a side road, as you often do on the web. The Google name search also turns up several links to Budding Prospects, a 1984 novel by T. C. Boyle. Its protagonist happens to be called Felix Nasmyth, who plans to get rich by illegally growing marijuana.
Besides being a prolific fiction author, T.C. Boyle is a respectable professor in the English Department at the University of Southern California. Maybe someone has a sense of humour, or they’re a fan of Boyle’s fiction, or it’s simply a coincidence. But it’s a dead end.
So they go back to the registration address. This address has its limitations: it might not be the business or personal address of the person concerned. It might just be the address of the domain name provider. In this instance, it’s a French domain name provider called Gandi, which has thousands of clients.
Sometimes it’s possible to go to the domain name provider’s website and do a search for more specific business information that goes beyond the basic whois entry. With Gandi this wasn’t possible as far as I could see.
Scam warning websites
Gandi and the Paris address also turn up in a post at Scamwarners.com. But this is another dead end. The post is about a different crowd called the Department of Foreign Education Affairs China (dfeachina.com), who have been advertising teaching jobs in China:
AMAZING OPPORTUNITY TO TEACH ENGLISH IN CHINA – NO EXPERIENCE REQUIRED
Accepting applicants UK wide.
The Department of Foreign Education Affairs an education institute and government department based in China; we currently have 12 positions available teaching English in Downtown Shenzhen and Guangzhou as well as ongoing positions available throughout China.
Another useful resource for detecting fraudulent websites is the Fake Sites Database of Artists Against 419. It shows that this “Department of Foreign Education Affairs” is indeed wild dodgy, but that the domain name registrant is different, the website is now offline, and there don’t appear to be any mentions of the fake ID sites. Another dead end.
The server, the IP address
Sometimes, though, I guess that’s the nature of any online detection work – chasing red herrings and wrong forks in the road. It was time to concentrate on physical things that must be harder to fake or obfuscate: a physical address or two.
A website has to live on a physical machine, right? On a server. And the domain name, if it’s active, has to point to this particular server with an IP address so that the rest of the Internet can find it.
You don’t know what an IP address is? Pay attention at the back of the class while Wikipedia explains all:
An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g. computer, printer) participating in a computer network that uses the Internet Protocol for communication.
So it’s a string of numbers. A bit like the Internet’s equivalent of a postal code.
The server might be directly run by the business, and located in one of its offices. Or nowadays the machine (or a slice of space on a machine) is more likely to be rented – part of a server farm, an internet hosting company.
Still back in the fictional world of Moss Reid private eye, how would he – or rather Maggie Dardis – work this out? She would use several tools to find the IP address:
- ShowIP 2.4 is a handy add-on for the Firefox web browser (I’ve decided that despite the world dominance of Chrome, Maggie is a thoroughly Firefox person). In the browser’s status bar it displays the IP address of the web page you are currently viewing, plus further info such as IP and hostname
- Another two online tools are the websites WhoIsHostingThis.com and IPlocation.net
- Or maybe she’d try Geoiptool.com
Between these various tools we can grab the following information about IrishFakeID.com:
IP address: 188.8.131.52
Hosting provider: Simply Transit
Possible locations: either Maidenhead or Surrey
The hosting provider info is probably another cul de sac. But once you have this IP address, you can also use it to do a “reverse IP lookup” to see what other domains – if any – are hosted at the same address. This reverse lookup brings up Fakeiduk.com, again registered by Mr Nasmyth, again at the same address in Paris (i.e. Gandi).
Next, Maggie would probably use traceroute. Here’s how Wikipedia defines it:
In computing, traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network.
When your “client” software (e.g. a browser) seeks information such as the various components of a web page from the server that this website is sitting on, the packets of data don’t arrive directly. They are bounced from computer to computer along the Internet, from the server to the client. In other words, traceroute shows the route that these packets take as they bobble along the network in this pass-the-parcel fashion.
The tool works by identifying the IP addresses of each hop along the way to the final address. As a techie, Maggie would use traceroute in a command window – it’s hardcore stuff to us ordinary folk, including Moss Reid. As page 166 of Another Case in Cowtown puts it:
While mere mortals would scroll and click on icons and pull-down menus, Maggie was diving deep into the gobbledegook of data, typing strange commands in several windows. If this was computing it was from an era before the birth of Windows or the Apple Mac. It was speed typing in a primordial soup.
The Internet Archive
Then Moss or Maggie would remember that the site was registered way back in 2009. Did someone just say “way back”? Archive.org, the website of the Internet Archive, has a “Wayback Machine” which you can use to see what a website looked like in years gone by.
This search turned up several snapshots of the fake ID site over the years – it had been archived 24 times between June 2009 and May 2014. Maybe they’d been a bit more forthright with their business info in some of these earlier versions.
As it happens, nothing new turned up about the business itself; even so, the Wayback Machine can often be a useful tool for unpicking older and now dead pages of an evolving website.
The more obvious route
As it happens, I did find a postal address for Irishfakeid.com.
I put in an order for a fake ID card for a Mr Maurice Reid, knowing that they’d have to give an address for “Maurice” (i.e. me) to post his order and my cash for his false identity cards.
The website’s business address wasn’t in the Terms & Conditions page, but it was on the final page of the order form. It was also in the site’s privacy statement, which I couldn’t find on the site’s main navigation but which Google had somehow indexed at some time way back when. It was:
207 Regent Street
Sounds like a very exclusive, prestigious address, right? Wrong. Google the postcode and you’ll end up on a company formations website, and its “Regent Street mail address services section”. For a small annual fee, it offers the following address:
Your Company / Business Name
207 Regent Street
And a search by postcode in a business directory revealed dozens upon dozens of businesses at this very same third-floor address.
By this stage a private eye might switch from an online search to do a bit of social engineering to extract more information. Pop into the physical office with a registered letter to sign, perhaps, or phone the domain name provider or ISP, and so on.
It’s a bit more legwork, but a bit more dramatic than pecking away at a computer keyboard all day…