Uncovering a Real Nigerian Prince Scam with OSINT and a Little Help from My Friends

Do you remember those Nigerian prince scams where you’d get an email with a prince promising you millions of dollars if you just help him out with your bank account information?  Those were the good ol’ days where email dominated the internet. I was tagged in a tweet today by @callmetosyn asking me to help with a new type of scam.  This was a Binomo scam involving the impersonation of a Nigerian prince, the son of the Emir of Zazzau (Zamir). Of course, we didn’t know that at the time.  Tosyn reached out because the techniques he was using weren’t yielding the results he desired.  Through the effort of a few OSINT tricks of my own and a bit of crowdsourcing, we were able to confirm the identity of the individual in the photos which we concluded was not the person the account claimed to be. Here’s the story of how we came to that conclusion including the OSINT methodology I used along the way.

The Account

The account is on Instagram under the username “alhaji_sani_binomo_trade”. You can check it out here.  At the time of this writing it has 189 posts, 1,361 followers, and is following 7,459 accounts. It also has 13 Instagram stories all suggesting you DM the account holder for more information. Most of the photos are fake “proof” photos that suggest you will get paid some high sum of money for using this guy’s service.  They are a bit inconsistent.  Some suggest NGN payouts, others show Russian Roubles.  One photo even features Vietnamese on a computer screen. Thats the first red flag.

Reverse Image Search

If you scroll down to this account’s first photo, you’ll find a series of photos of a man in traditional African garb, except when he isn’t in it.  More on that later. The first photo is a picture of a man with his family in front of a tourist attraction of sorts.  Here’s what it looks like.

Screen Shot 2019-01-02 at 6.35.26 PM.png

Now, Tosyn tried to run the photo as is through Google Images to see if they could get a hit for an identity. The result is exactly what I thought it was when I first looked at it “tourist attraction”.  Here’s where the first lesson in reverse image search comes in to play.  You don’t have to JUST run faces through reverse image search.  There’s plenty of useful information available from the surroundings.  Let’s try this instead.

Screen Shot 2019-01-02 at 6.37.59 PM.png

Here we will isolate the background to figure out where the photo was taken. If we run this through reverse image search again, our result differs greatly. This time we get the Hagia Sophia in Istanbul, Turkey. After a quick study of the structure, we can confirm it’s accuracy.  Here’s what it looks like.

5b9a77e1d3806c24a0d7e1d4

This was a useful OSINT tip I pulled during the investigation, but it wasn’t helpful in actually confirming the identity of the individual.  Because of the nature of the photo, we could infer that they were tourists and are not from Turkey.  Let’s move on to the next photo. Here’s the one that stuck out to me.

Screen Shot 2019-01-02 at 6.42.20 PM.png

I’m not familiar with Nigerian customs and courtesies, but it’s obvious that the individual on the right is wearing a special type of garb. So I figured if I could figure out who that person was, I could narrow down where the photo was taken.  I ran this image through Google Image Search and found an article confirming this was Senator Dino Melaye visiting the Emir of Zazzau in Zaria, Kaduna State, Nigeria. More useful information. But neither of these people are the individual in the Instagram photos.  But what about the guy on the floor? Using another image from the Instagram, I was able to make a good guess that the person in the Instagram photo was at this meeting. Here’s that image.

Screen Shot 2019-01-02 at 6.46.42 PM

At first I thought this was the person sitting on the floor, but after taking a closer look at the headgear the person in the photo wearing, they are not the same.  However, take a close look at the carpet the individual from Instagram is leaning on.  It has the same color scheme as the original photo with the Emir.  I was more sure now that the individual was at that meeting.

Crowdsourcing

Tosyn also tagged a few others in the request for additional help.  One individual responded with the identity of the individual in the photos as Nasir Shehu Idris, son of the Emir of Zazzau.

Screen Shot 2019-01-02 at 6.51.35 PM

This explains why that person would be at the meeting. I wanted to verify that with my own evidence so I searched for “Nasir Shehu Idris” on Twitter and found a tweet linking back to Instagram. It took me to this Instagram page.

Screen Shot 2019-01-02 at 6.52.49 PM.png

A quick analysis of the person in the photo led me to the conclusion that the individual in the photos on the Binomo scam was Nasir Shehu Iris.  Tosyn was able to take this information, in combination with the information about the scam side of the report, to draw a conclusion and end the investigation.

Auxiliary Crowdsourcing

Another photo that was of interest to me during this investigation, before we discovered the false identity and the impersonation, was a photo that included a painting on the wall and the individual in question.  Here’s the photo.

Screen Shot 2019-01-02 at 7.00.09 PM.png

I found it interesting because the painting could potentially reveal location and this photo was posted in much later than the original photos found at the beginning of the account and was in the middle of a bunch of fake “proof” photos.  I couldn’t identify the painting from looking at it and the technique I used to find the Hagia Sophia didn’t work.  I turned to my OSINT community for help.  Here’s how I asked it.

Screen Shot 2019-01-02 at 7.02.09 PM

I honestly wasn’t expecting a response at all, but we have a really good community in the OSINT world.  Within minutes I received a response from @guscarter with spot on information.

Screen Shot 2019-01-02 at 7.03.24 PM

I asked him how he was able to find this information so quickly and he said “Vaguely recognized it so Google searched ‘Pope painting’. Thought it was was the original Velazquez until I noticed there was more leg/bottom in your original so just scrolled until I found it. Not particularly high tech but there you go!”  This goes to show you that being well read can sometimes give you back pocket information that may come in handy when you least expect it.  This information didn’t prove useful in this investigation, but it proved a valuable lesson in OSINT crowdsourcing.

I really enjoyed doing this mini-investigation with Tosyn.  I think collaboration like this is the future of OSINT.  There was even an instance where Dutch police reached out to the crowd for help in tracking down criminals.  Not only is this inclusive, it opens the opportunity to all who are interested, not just a select few.  Oh the wonders of the internet. Thanks for reading.  Make sure to subscribe by email to this blog, follow on Twitter, and subscribe to The OSINT Podcast!

Advertisements

One thought on “Uncovering a Real Nigerian Prince Scam with OSINT and a Little Help from My Friends

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s